fix(handlers): redirect uri scenario not handled

This fixes an edge case where the access request would not return a relevant error if the access request was an OpenID Connect 1.0 request with an absent redirect URI. This technically should not be possible but it's a safeguard against the future.
authelia · Aug 29, 2024 · d76eafa · d76eafa
1 parent b0ab6e5
commit d76eafa
Show file tree

Hide file tree

Showing 2 changed files with 268 additions and 184 deletions.
diff --git a/handler/oauth2/flow_authorize_code_token.go b/handler/oauth2/flow_authorize_code_token.go
@@ -56,7 +56,7 @@ func (c *AuthorizeExplicitGrantHandler) HandleTokenEndpointRequest(ctx context.C
 
 		return errorsx.WithStack(oauth2.ErrInvalidGrant.WithHint(hint).WithDebug(debug))
 	case errors.Is(err, oauth2.ErrNotFound):
-		return errorsx.WithStack(oauth2.ErrInvalidGrant.WithWrap(err).WithDebugError(err))
+		return errorsx.WithStack(oauth2.ErrInvalidGrant.WithWrap(err).WithDebugf("The authorization code session for the given authorization code was not found."))
 	case err != nil:
 		return errorsx.WithStack(oauth2.ErrServerError.WithWrap(err).WithDebugError(err))
 	}
@@ -84,9 +84,17 @@ func (c *AuthorizeExplicitGrantHandler) HandleTokenEndpointRequest(ctx context.C
 	// "redirect_uri" parameter was included in the initial authorization
 	// request as described in Section 4.1.1, and if included ensure that
 	// their values are identical.
-	forcedRedirectURI := authorizeRequest.GetRequestForm().Get(consts.FormParameterRedirectURI)
-	if forcedRedirectURI != "" && forcedRedirectURI != request.GetRequestForm().Get(consts.FormParameterRedirectURI) {
-		return errorsx.WithStack(oauth2.ErrInvalidGrant.WithHint("The 'redirect_uri' from this request does not match the one from the authorize request."))
+	redirectURI := authorizeRequest.GetRequestForm().Get(consts.FormParameterRedirectURI)
+
+	switch redirectURI {
+	case "":
+		if authorizeRequest.GetRequestedScopes().Has(consts.ScopeOpenID) {
+			return errorsx.WithStack(oauth2.ErrInvalidGrant.WithHint("The 'redirect_uri' parameter is required when using OpenID Connect 1.0."))
+		}
+	case request.GetRequestForm().Get(consts.FormParameterRedirectURI):
+		break
+	default:
+		return errorsx.WithStack(oauth2.ErrInvalidGrant.WithHint("The 'redirect_uri' from this request does not match the one from the authorize request.").WithDebugf("The 'redirect_uri' parameter value '%s' utilized in the Access Request does not match the original 'redirect_uri' parameter value '%s' requested in the Authorize Request which is not permitted.", request.GetRequestForm().Get(consts.FormParameterRedirectURI), redirectURI))
 	}
 
 	// Checking of POST client_id skipped, because: