Merge pull request #20088 from ayoho/20059-op-uriValidation

ayoho · web-flow · commit a922e0c65263 · 2022-03-01T10:01:23.000-06:00
Issue 20059: Add validation for OAuth client backchannel logout URI
diff --git a/dev/com.ibm.ws.security.oauth/resources/com/ibm/ws/security/oauth20/internal/resources/OAuthMessages.nlsprops b/dev/com.ibm.ws.security.oauth/resources/com/ibm/ws/security/oauth20/internal/resources/OAuthMessages.nlsprops
@@ -1,5 +1,5 @@
 ###############################################################################
-# Copyright (c) 2012 IBM Corporation and others.
+# Copyright (c) 2012, 2022 IBM Corporation and others.
 # All rights reserved. This program and the accompanying materials
 # are made available under the terms of the Eclipse Public License v1.0
 # which accompanies this distribution, and is available at
@@ -16,7 +16,7 @@
 #NLS_ENCODING=UNICODE
 # -------------------------------------------------------------------------------------------------
 
-# Message prefix block: CWWKS1400 - CWWKS1499
+# Message prefix block: CWWKS1400 - CWWKS1499, CWWKS2300 - CWWKS2349
 OAUTH_PROVIDER_CONFIG_INVALID=CWWKS1400E: The OAuth provider {0} configuration is not valid.
 OAUTH_PROVIDER_CONFIG_INVALID.explanation=Cannot get specified oauth provider configuration.
 OAUTH_PROVIDER_CONFIG_INVALID.useraction=Specify a valid oauth provider configuration.
@@ -458,6 +458,20 @@ WRONG_TOKEN_GRANTTYPE=CWWKS1497E: The token with grant type [{0}] is not allowed
 WRONG_TOKEN_GRANTTYPE.explanation=The token is not valid because its grant type is not allowed.
 WRONG_TOKEN_GRANTTYPE.useraction=Use a token with a grant type that is allowed.
 
+OAUTH_CLIENT_REGISTRATION_VALUE_URI_CONTAINS_FRAGMENT=CWWKS1498E: The [{0}] URI for the {1} client registration metadata field is not valid because it contains a fragment.
+OAUTH_CLIENT_REGISTRATION_VALUE_URI_CONTAINS_FRAGMENT.explanation=The request cannot be completed because the URI must not contain a fragment.
+OAUTH_CLIENT_REGISTRATION_VALUE_URI_CONTAINS_FRAGMENT.useraction=Review the property value in the request and remove the URI fragment.
+
+OAUTH_CLIENT_REGISTRATION_VALUE_URI_INVALID_SCHEME=CWWKS1499E: The [{0}] URI for the {1} client registration metadata field is not valid because it does not use the HTTP or HTTPS scheme.
+OAUTH_CLIENT_REGISTRATION_VALUE_URI_INVALID_SCHEME.explanation=The URI value must use the HTTP or HTTPS scheme.
+OAUTH_CLIENT_REGISTRATION_VALUE_URI_INVALID_SCHEME.useraction=Review the property value in the request and update it to use the HTTP or HTTPS scheme.
+
+# NOTE: Start of new message prefix CWWKS2300 - 2349
+
+OAUTH_CLIENT_REGISTRATION_VALUE_URI_HTTP_SCHEME_CLIENT_NOT_CONFIDENTIAL=CWWKS2300E: The [{0}] URI for the {1} client registration metadata field is not valid because it uses the HTTP scheme but the [{2}] OAuth client is not a confidential client.
+OAUTH_CLIENT_REGISTRATION_VALUE_URI_HTTP_SCHEME_CLIENT_NOT_CONFIDENTIAL.explanation=The URI value for the metadata field that is specified in the message may use the HTTP scheme only if the OAuth client is a confidential client. Otherwise, the HTTPS scheme must be used.
+OAUTH_CLIENT_REGISTRATION_VALUE_URI_HTTP_SCHEME_CLIENT_NOT_CONFIDENTIAL.useraction=Update the URI to use the HTTPS scheme, or update the OAuth client to be a confidential client.
+
 # html title of logout page
 LOGOUT_PAGE_TITLE=Logout
 # html body of logout page
diff --git a/dev/com.ibm.ws.security.oauth/src/com/ibm/ws/security/oauth20/plugins/OidcBaseClientValidator.java b/dev/com.ibm.ws.security.oauth/src/com/ibm/ws/security/oauth20/plugins/OidcBaseClientValidator.java
@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2014, 2021 IBM Corporation and others.
+ * Copyright (c) 2014, 2022 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
  * which accompanies this distribution, and is available at
@@ -104,6 +104,8 @@ public OidcBaseClient validateCreateUpdate() throws OidcServerException {
 
         validateOutputParameters();
 
+        validateBackchannelLogoutUri();
+
         return this.client;
     }
 
@@ -656,4 +658,44 @@ private void validateUris(JsonArray uris, String clientMetadataField) throws Oid
             }
         }
     }
+
+    /**
+     * Validates the backchannelLogoutUri/backchannel_logout_uri attribute of the client. Per Section 2.2 of
+     * https://openid.net/specs/openid-connect-backchannel-1_0.html:
+     * 1. The back-channel logout URI MUST be an absolute URI as defined by Section 4.3 of [RFC3986].
+     * 2. The back-channel logout URI MAY include an application/x-www-form-urlencoded formatted query component, per Section 3.4 of [RFC3986], which MUST be retained when adding additional query parameters.
+     * 3. The back-channel logout URI MUST NOT include a fragment component.
+     * 4. This URL SHOULD use the https scheme and MAY contain port, path, and query parameter components; however, it MAY use the http scheme, provided that the Client Type is confidential, as defined in Section 2.1 of OAuth 2.0 [RFC6749], and provided the OP allows the use of http RP URIs.
+     */
+    void validateBackchannelLogoutUri() throws OidcServerException {
+        URI uri;
+        String logoutUri = client.getBackchannelLogoutUri();
+        if (logoutUri == null) {
+            return;
+        }
+        try {
+            uri = new URI(logoutUri);
+        } catch (URISyntaxException e) {
+            throw new OidcServerException(new BrowserAndServerLogMessage(tc, "OAUTH_CLIENT_REGISTRATION_VALUE_MALFORMED_URI", new Object[] { logoutUri, OidcBaseClient.SN_BACKCHANNEL_LOGOUT_URI }),
+                    OIDCConstants.ERROR_INVALID_CLIENT_METADATA, HttpServletResponse.SC_BAD_REQUEST, e);
+        }
+        if (!uri.isAbsolute()) {
+            throw new OidcServerException(new BrowserAndServerLogMessage(tc, "OAUTH_CLIENT_REGISTRATION_VALUE_NOT_ABSOLUTE_URI", new Object[] { logoutUri, OidcBaseClient.SN_BACKCHANNEL_LOGOUT_URI }),
+                    OIDCConstants.ERROR_INVALID_CLIENT_METADATA, HttpServletResponse.SC_BAD_REQUEST);
+        }
+        if (uri.getFragment() != null) {
+            throw new OidcServerException(new BrowserAndServerLogMessage(tc, "OAUTH_CLIENT_REGISTRATION_VALUE_URI_CONTAINS_FRAGMENT", new Object[] { logoutUri, OidcBaseClient.SN_BACKCHANNEL_LOGOUT_URI }),
+                    OIDCConstants.ERROR_INVALID_CLIENT_METADATA, HttpServletResponse.SC_BAD_REQUEST);
+        }
+        String scheme = uri.getScheme();
+        if (scheme == null || (!scheme.equalsIgnoreCase("http") && !scheme.equalsIgnoreCase("https"))) {
+            throw new OidcServerException(new BrowserAndServerLogMessage(tc, "OAUTH_CLIENT_REGISTRATION_VALUE_URI_INVALID_SCHEME", new Object[] { logoutUri, OidcBaseClient.SN_BACKCHANNEL_LOGOUT_URI }),
+                    OIDCConstants.ERROR_INVALID_CLIENT_METADATA, HttpServletResponse.SC_BAD_REQUEST);
+        }
+        if (scheme.equalsIgnoreCase("http") && !client.isConfidential()) {
+            throw new OidcServerException(new BrowserAndServerLogMessage(tc, "OAUTH_CLIENT_REGISTRATION_VALUE_URI_HTTP_SCHEME_CLIENT_NOT_CONFIDENTIAL", new Object[] { logoutUri, OidcBaseClient.SN_BACKCHANNEL_LOGOUT_URI, client.getClientId() }),
+                    OIDCConstants.ERROR_INVALID_CLIENT_METADATA, HttpServletResponse.SC_BAD_REQUEST);
+        }
+    }
+
 }
diff --git a/dev/com.ibm.ws.security.oauth/test/com/ibm/ws/security/oauth20/plugins/OidcBaseClientValidatorTest.java b/dev/com.ibm.ws.security.oauth/test/com/ibm/ws/security/oauth20/plugins/OidcBaseClientValidatorTest.java
@@ -11,6 +11,7 @@
 package com.ibm.ws.security.oauth20.plugins;
 
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 
 import javax.servlet.http.HttpServletResponse;
@@ -36,12 +37,14 @@ public class OidcBaseClientValidatorTest {
     private final String redirectUri2 = "https://localhost:8999/resource/redirect2";
     private final JsonArray redirectUris = new JsonArray();
     private OidcBaseClient client;
+    private OidcBaseClient publicClient;
 
     @Before
     public void setUp() {
         redirectUris.add(new JsonPrimitive(redirectUri1));
         redirectUris.add(new JsonPrimitive(redirectUri2));
         client = new OidcBaseClient(clientId, clientSecret, redirectUris, clientName, componentId, true);
+        publicClient = new OidcBaseClient(clientId, null, redirectUris, clientName, componentId, true);
     }
 
     @Test
@@ -320,4 +323,166 @@ public void testOutputParamtersPresent3() throws OidcServerException {
             assertEquals(expectedErrorMessage, e.getErrorDescription());
         }
     }
+
+    @Test
+    public void testValidateBackchannelLogoutUri_nullUri() {
+        client.setBackchannelLogoutUri(null);
+        OidcBaseClientValidator validator = OidcBaseClientValidator.getInstance(client);
+        try {
+            validator.validateBackchannelLogoutUri();
+        } catch (OidcServerException e) {
+            fail("Threw OidcServerException but didn't expect to: " + e.getErrorDescription());
+        }
+    }
+
+    @Test
+    public void testValidateBackchannelLogoutUri_nonUri() {
+        String uri = "This is not a valid URI";
+        client.setBackchannelLogoutUri(uri);
+        OidcBaseClientValidator validator = OidcBaseClientValidator.getInstance(client);
+        try {
+            validator.validateBackchannelLogoutUri();
+            fail("Did not throw OidcServerException as expected.");
+        } catch (OidcServerException e) {
+            assertEquals(HttpServletResponse.SC_BAD_REQUEST, e.getHttpStatus());
+            assertEquals(OIDCConstants.ERROR_INVALID_CLIENT_METADATA, e.getErrorCode());
+            String expectedRegex = "CWWKS1445E" + ".*" + uri + ".*";
+            String errorDescription = e.getErrorDescription();
+            assertTrue("Did not find error message \"" + expectedRegex + "\" in error description \"" + errorDescription + "\".", errorDescription.matches(expectedRegex));
+        }
+    }
+
+    @Test
+    public void testValidateBackchannelLogoutUri_uriNotAbsolute() {
+        String uri = "/some/path";
+        client.setBackchannelLogoutUri(uri);
+        OidcBaseClientValidator validator = OidcBaseClientValidator.getInstance(client);
+        try {
+            validator.validateBackchannelLogoutUri();
+            fail("Did not throw OidcServerException as expected.");
+        } catch (OidcServerException e) {
+            assertEquals(HttpServletResponse.SC_BAD_REQUEST, e.getHttpStatus());
+            assertEquals(OIDCConstants.ERROR_INVALID_CLIENT_METADATA, e.getErrorCode());
+            String expectedRegex = "CWWKS1446E" + ".*" + uri + ".*";
+            String errorDescription = e.getErrorDescription();
+            assertTrue("Did not find error message \"" + expectedRegex + "\" in error description \"" + errorDescription + "\".", errorDescription.matches(expectedRegex));
+        }
+    }
+
+    @Test
+    public void testValidateBackchannelLogoutUri_uriContainsEmptyFragment() {
+        String uri = "https://localhost/some/path#";
+        client.setBackchannelLogoutUri(uri);
+        OidcBaseClientValidator validator = OidcBaseClientValidator.getInstance(client);
+        try {
+            validator.validateBackchannelLogoutUri();
+            fail("Did not throw OidcServerException as expected.");
+        } catch (OidcServerException e) {
+            assertEquals(HttpServletResponse.SC_BAD_REQUEST, e.getHttpStatus());
+            assertEquals(OIDCConstants.ERROR_INVALID_CLIENT_METADATA, e.getErrorCode());
+            String expectedRegex = "CWWKS1498E" + ".*" + uri + ".*";
+            String errorDescription = e.getErrorDescription();
+            assertTrue("Did not find error message \"" + expectedRegex + "\" in error description \"" + errorDescription + "\".", errorDescription.matches(expectedRegex));
+        }
+    }
+
+    @Test
+    public void testValidateBackchannelLogoutUri_uriContainsNonEmptyFragment() {
+        String uri = "https://localhost/some/path#with-fragment";
+        client.setBackchannelLogoutUri(uri);
+        OidcBaseClientValidator validator = OidcBaseClientValidator.getInstance(client);
+        try {
+            validator.validateBackchannelLogoutUri();
+            fail("Did not throw OidcServerException as expected.");
+        } catch (OidcServerException e) {
+            assertEquals(HttpServletResponse.SC_BAD_REQUEST, e.getHttpStatus());
+            assertEquals(OIDCConstants.ERROR_INVALID_CLIENT_METADATA, e.getErrorCode());
+            String expectedRegex = "CWWKS1498E" + ".*" + uri + ".*";
+            String errorDescription = e.getErrorDescription();
+            assertTrue("Did not find error message \"" + expectedRegex + "\" in error description \"" + errorDescription + "\".", errorDescription.matches(expectedRegex));
+        }
+    }
+
+    @Test
+    public void testValidateBackchannelLogoutUri_uriDoesNotUseValidScheme() {
+        String uri = "file://localhost/some/path";
+        client.setBackchannelLogoutUri(uri);
+        OidcBaseClientValidator validator = OidcBaseClientValidator.getInstance(client);
+        try {
+            validator.validateBackchannelLogoutUri();
+            fail("Did not throw OidcServerException as expected.");
+        } catch (OidcServerException e) {
+            assertEquals(HttpServletResponse.SC_BAD_REQUEST, e.getHttpStatus());
+            assertEquals(OIDCConstants.ERROR_INVALID_CLIENT_METADATA, e.getErrorCode());
+            String expectedRegex = "CWWKS1499E" + ".*" + uri + ".*";
+            String errorDescription = e.getErrorDescription();
+            assertTrue("Did not find error message \"" + expectedRegex + "\" in error description \"" + errorDescription + "\".", errorDescription.matches(expectedRegex));
+        }
+    }
+
+    @Test
+    public void testValidateBackchannelLogoutUri_httpUriClientNotConfidential() {
+        String uri = "http://localhost/some/path";
+        publicClient.setBackchannelLogoutUri(uri);
+        OidcBaseClientValidator validator = OidcBaseClientValidator.getInstance(publicClient);
+        try {
+            validator.validateBackchannelLogoutUri();
+            fail("Did not throw OidcServerException as expected.");
+        } catch (OidcServerException e) {
+            assertEquals(HttpServletResponse.SC_BAD_REQUEST, e.getHttpStatus());
+            assertEquals(OIDCConstants.ERROR_INVALID_CLIENT_METADATA, e.getErrorCode());
+            String expectedRegex = "CWWKS2300E" + ".*" + uri + ".*";
+            String errorDescription = e.getErrorDescription();
+            assertTrue("Did not find error message \"" + expectedRegex + "\" in error description \"" + errorDescription + "\".", errorDescription.matches(expectedRegex));
+        }
+    }
+
+    @Test
+    public void testValidateBackchannelLogoutUri_simpleValidHttpUri() {
+        String uri = "http://localhost/some/path";
+        client.setBackchannelLogoutUri(uri);
+        OidcBaseClientValidator validator = OidcBaseClientValidator.getInstance(client);
+        try {
+            validator.validateBackchannelLogoutUri();
+        } catch (OidcServerException e) {
+            fail("Threw OidcServerException but didn't expect to: " + e.getErrorDescription());
+        }
+    }
+
+    @Test
+    public void testValidateBackchannelLogoutUri_simpleValidHttpUri_uppercase() {
+        String uri = "HTTP://LOCALHOST/SOME/PATH";
+        client.setBackchannelLogoutUri(uri);
+        OidcBaseClientValidator validator = OidcBaseClientValidator.getInstance(client);
+        try {
+            validator.validateBackchannelLogoutUri();
+        } catch (OidcServerException e) {
+            fail("Threw OidcServerException but didn't expect to: " + e.getErrorDescription());
+        }
+    }
+
+    @Test
+    public void testValidateBackchannelLogoutUri_simpleValidHttpsUri() {
+        String uri = "https://localhost:9080/some/path";
+        client.setBackchannelLogoutUri(uri);
+        OidcBaseClientValidator validator = OidcBaseClientValidator.getInstance(client);
+        try {
+            validator.validateBackchannelLogoutUri();
+        } catch (OidcServerException e) {
+            fail("Threw OidcServerException but didn't expect to: " + e.getErrorDescription());
+        }
+    }
+
+    @Test
+    public void testValidateBackchannelLogoutUri_complexUri() {
+        String uri = "https://localhost:9080/some/path?with=params&other=things";
+        client.setBackchannelLogoutUri(uri);
+        OidcBaseClientValidator validator = OidcBaseClientValidator.getInstance(client);
+        try {
+            validator.validateBackchannelLogoutUri();
+        } catch (OidcServerException e) {
+            fail("Threw OidcServerException but didn't expect to: " + e.getErrorDescription());
+        }
+    }
+
 }
