Skip to content
This repository was archived by the owner on Sep 10, 2024. It is now read-only.
This repository was archived by the owner on Sep 10, 2024. It is now read-only.

invalid_redirect_uri error raised by POST /oauth2/registration doesn't explain which policy was violated #3036

Open
Open
invalid_redirect_uri error raised by POST /oauth2/registration doesn't explain which policy was violated#3036
@Half-Shot

Description

@Half-Shot
Half-Shot
opened on Jul 31, 2024

It wasn't clear to me that I couldn't set a localhost URL for the registration request URIs because it's forbidden in

matrix-authentication-service/crates/handlers/src/oauth2/registration.rs

Lines 191 to 243 in 07c9989

pub(crate) async fn post(
mut rng: BoxRng,
clock: BoxClock,
mut repo: BoxRepository,
mut policy: Policy,
State(encrypter): State<Encrypter>,
body: Result<Json<ClientMetadata>, axum::extract::rejection::JsonRejection>,
) -> Result<impl IntoResponse, RouteError> {
// Propagate any JSON extraction error
let Json(body) = body?;
info!(?body, "Client registration");
// Validate the body
let metadata = body.validate()?;
// Some extra validation that is hard to do in OPA and not done by the
// `validate` method either
if let Some(client_uri) = &metadata.client_uri {
if localised_url_has_public_suffix(client_uri) {
return Err(RouteError::UrlIsPublicSuffix("client_uri"));
}
}
if let Some(logo_uri) = &metadata.logo_uri {
if localised_url_has_public_suffix(logo_uri) {
return Err(RouteError::UrlIsPublicSuffix("logo_uri"));
}
}
if let Some(policy_uri) = &metadata.policy_uri {
if localised_url_has_public_suffix(policy_uri) {
return Err(RouteError::UrlIsPublicSuffix("policy_uri"));
}
}
if let Some(tos_uri) = &metadata.tos_uri {
if localised_url_has_public_suffix(tos_uri) {
return Err(RouteError::UrlIsPublicSuffix("tos_uri"));
}
}
if let Some(initiate_login_uri) = &metadata.initiate_login_uri {
if host_is_public_suffix(initiate_login_uri) {
return Err(RouteError::UrlIsPublicSuffix("initiate_login_uri"));
}
}
for redirect_uri in metadata.redirect_uris() {
if host_is_public_suffix(redirect_uri) {
return Err(RouteError::UrlIsPublicSuffix("redirect_uri"));
}
}

The error is super vague though, and could do with some explanation (or at least a log line).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions