From 8b09873cc0926bd1167a501177e1b12c37a1ee04 Mon Sep 17 00:00:00 2001 From: Joe <83741749+paladin-devops@users.noreply.github.com> Date: Mon, 7 Feb 2022 13:34:33 -0500 Subject: [PATCH] identity/oidc: loopback redirect dynamic port (#13871) * Add check for OIDC provider to permit a non-exact redirect URI from OIDC client if it is the IPv4 or IPv6 loopback address. * Update changelog/13871.txt Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com> * Update redirectURI check to match that for the OIDC auth method. Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com> --- changelog/13871.txt | 3 ++ vault/identity_store_oidc_provider.go | 3 +- vault/identity_store_oidc_provider_util.go | 38 ++++++++++++++++++++++ 3 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 changelog/13871.txt create mode 100644 vault/identity_store_oidc_provider_util.go diff --git a/changelog/13871.txt b/changelog/13871.txt new file mode 100644 index 000000000000..c8c5103bbf3b --- /dev/null +++ b/changelog/13871.txt @@ -0,0 +1,3 @@ +```release-note:bug +identity/oidc: Adds support for port-agnostic validation of loopback IP redirect URIs. +``` diff --git a/vault/identity_store_oidc_provider.go b/vault/identity_store_oidc_provider.go index d3a7a260de4c..e3580a9e16e7 100644 --- a/vault/identity_store_oidc_provider.go +++ b/vault/identity_store_oidc_provider.go @@ -1513,7 +1513,8 @@ func (i *IdentityStore) pathOIDCAuthorize(ctx context.Context, req *logical.Requ if redirectURI == "" { return authResponse("", state, ErrAuthInvalidRequest, "redirect_uri parameter is required") } - if !strutil.StrListContains(client.RedirectURIs, redirectURI) { + + if !validRedirect(redirectURI, client.RedirectURIs) { return authResponse("", state, ErrAuthInvalidRedirectURI, "redirect_uri is not allowed for the client") } diff --git a/vault/identity_store_oidc_provider_util.go b/vault/identity_store_oidc_provider_util.go new file mode 100644 index 000000000000..f5b0dadb8a94 --- /dev/null +++ b/vault/identity_store_oidc_provider_util.go @@ -0,0 +1,38 @@ +package vault + +import ( + "net/url" + + "github.com/hashicorp/go-secure-stdlib/strutil" +) + +// validRedirect checks whether uri is in allowed using special handling for loopback uris. +// Ref: https://tools.ietf.org/html/rfc8252#section-7.3 +func validRedirect(uri string, allowed []string) bool { + inputURI, err := url.Parse(uri) + if err != nil { + return false + } + + // if uri isn't a loopback, just string search the allowed list + if !strutil.StrListContains([]string{"localhost", "127.0.0.1", "::1"}, inputURI.Hostname()) { + return strutil.StrListContains(allowed, uri) + } + + // otherwise, search for a match in a port-agnostic manner, per the OAuth RFC. + inputURI.Host = inputURI.Hostname() + + for _, a := range allowed { + allowedURI, err := url.Parse(a) + if err != nil { + return false + } + allowedURI.Host = allowedURI.Hostname() + + if inputURI.String() == allowedURI.String() { + return true + } + } + + return false +}