feat(oxauth): the requestUriParameterSupported and requestParameterSu…

…pported involved in request processing (#1892) #1891
GluuFederation · Feb 27, 2024 · eb824f2 · eb824f2
1 parent d182048
commit eb824f2
Show file tree

Hide file tree

Showing 6 changed files with 107 additions and 0 deletions.
diff --git a/Model/src/main/java/org/gluu/oxauth/model/authorize/AuthorizeErrorResponseType.java b/Model/src/main/java/org/gluu/oxauth/model/authorize/AuthorizeErrorResponseType.java
@@ -112,6 +112,18 @@ public enum AuthorizeErrorResponseType implements IErrorType {
      */
     USER_MISMATCHED("user_mismatched"),
 
+    /**
+     * "request" parameter is supported by AS. But if it's switched off in configuration by setting
+     * requestParameterSupported=false then this error is returned from authorization endpoint.
+     */
+    REQUEST_NOT_SUPPORTED("request_not_supported"),
+
+    /**
+     * "request_uri" parameter is supported by AS. But if it's switched off in configuration by setting
+     * requestUriParameterSupported=false then this error is returned from authorization endpoint.
+     */
+    REQUEST_URI_NOT_SUPPORTED("request_uri_not_supported"),
+
     /**
      * The request_uri in the Authorization Request returns an error or invalid data.
      */

diff --git a/Server/conf/oxauth-errors.json b/Server/conf/oxauth-errors.json
@@ -70,6 +70,16 @@
             "description":"The current logged in End-User at the Authorization Server does not match the requested user. This error MAY be returned when the prompt parameter in the Authorization Request is set to none to request that the Authorization Server should not display any user interfaces to the End-User, but the Authorization Request cannot be completed without displaying a user interface to prompt for the correct End-User authentication.",
             "uri":null
         },
+        {
+            "id":"request_not_supported",
+            "description":"The request parameter is not supported.",
+            "uri":null
+        },
+        {
+            "id":"request_uri_not_supported",
+            "description":"The request uri parameter is not supported.",
+            "uri":null
+        },
         {
             "id":"invalid_request_uri",
             "description":"The request_uri in the Authorization Request returns an error or invalid data.",

diff --git a/Server/src/main/java/org/gluu/oxauth/authorize/ws/rs/AuthorizeRestWebServiceImpl.java b/Server/src/main/java/org/gluu/oxauth/authorize/ws/rs/AuthorizeRestWebServiceImpl.java
@@ -248,6 +248,9 @@ private Response requestAuthorization(
             Set<String> scopes = scopeChecker.checkScopesPolicy(client, scope);
             boolean isPromptFromJwt = false;
 
+            authorizeRestWebServiceValidator.validateRequestParameterSupported(request, state);
+            authorizeRestWebServiceValidator.validateRequestUriParameterSupported(requestUri, state);
+
             JwtAuthorizationRequest jwtRequest = null;
             if (StringUtils.isNotBlank(request) || StringUtils.isNotBlank(requestUri)) {
                 try {

diff --git a/Server/src/main/java/org/gluu/oxauth/authorize/ws/rs/AuthorizeRestWebServiceValidator.java b/Server/src/main/java/org/gluu/oxauth/authorize/ws/rs/AuthorizeRestWebServiceValidator.java
@@ -29,6 +29,7 @@
 import javax.ws.rs.core.Response;
 import java.util.*;
 
+import static org.apache.commons.lang3.BooleanUtils.isTrue;
 import static org.gluu.oxauth.model.ciba.BackchannelAuthenticationErrorResponseType.INVALID_REQUEST;
 
 /**
@@ -277,4 +278,37 @@ public String validateRedirectUri(@NotNull Client client, @Nullable String redir
                 .entity(errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST_REDIRECT_URI, state, ""))
                 .build());
     }
+
+    public void validateRequestParameterSupported(String request, String state) {
+        if (StringUtils.isBlank(request)) {
+            return;
+        }
+
+        if (isTrue(appConfiguration.getRequestParameterSupported())) {
+            return;
+        }
+
+        log.debug("'request' support is switched off by requestParameterSupported=false configuration property.");
+        throw new WebApplicationException(Response
+                .status(Response.Status.BAD_REQUEST)
+                .entity(errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.REQUEST_NOT_SUPPORTED, state, "request processing is denied by AS."))
+                .build());
+
+    }
+
+    public void validateRequestUriParameterSupported(String requestUri, String state) {
+        if (StringUtils.isBlank(requestUri)) {
+            return;
+        }
+
+        if (isTrue(appConfiguration.getRequestUriParameterSupported())) {
+            return;
+        }
+
+        log.debug("'request_uri' support is switched off by requestUriParameterSupported=false configuration property.");
+        throw new WebApplicationException(Response
+                .status(Response.Status.BAD_REQUEST)
+                .entity(errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.REQUEST_URI_NOT_SUPPORTED, state, "request_uri processing is denied by AS"))
+                .build());
+    }
 }
diff --git a/...r/src/test/java/org/gluu/oxauth/authorize/ws/rs/AuthorizeRestWebServiceValidatorTest.java b/...r/src/test/java/org/gluu/oxauth/authorize/ws/rs/AuthorizeRestWebServiceValidatorTest.java
@@ -16,6 +16,8 @@
 import org.testng.annotations.Listeners;
 import org.testng.annotations.Test;
 
+import javax.ws.rs.WebApplicationException;
+
 import static org.mockito.Mockito.when;
 import static org.testng.Assert.assertFalse;
 import static org.testng.Assert.assertTrue;
@@ -53,6 +55,48 @@ public class AuthorizeRestWebServiceValidatorTest {
     @Mock
     private Identity identity;
 
+    @Test
+    public void validateRequestParameterSupported_whenRequestIsEmpty_shouldPass() {
+        authorizeRestWebServiceValidator.validateRequestParameterSupported(null, "state");
+        authorizeRestWebServiceValidator.validateRequestParameterSupported("", "state");
+    }
+
+    @Test
+    public void validateRequestParameterSupported_whenRequestSupportIsSwitchedOn_shouldPass() {
+        when(appConfiguration.getRequestParameterSupported()).thenReturn(true);
+
+        authorizeRestWebServiceValidator.validateRequestParameterSupported("{\"redirect_uri\":\"https://rp.example.com\"}", "state");
+        authorizeRestWebServiceValidator.validateRequestParameterSupported(null, "state");
+        authorizeRestWebServiceValidator.validateRequestParameterSupported("", "state");
+    }
+
+    @Test(expectedExceptions = WebApplicationException.class)
+    public void validateRequestParameterSupported_whenRequestSupportIsSwitchedOff_shouldThrowException() {
+        when(appConfiguration.getRequestParameterSupported()).thenReturn(false);
+
+        authorizeRestWebServiceValidator.validateRequestParameterSupported("{\"redirect_uri\":\"https://rp.example.com\"}", "state");
+    }
+
+    @Test
+    public void validateRequestUriParameterSupported_whenRequestUriIsEmpty_shouldPass() {
+        authorizeRestWebServiceValidator.validateRequestUriParameterSupported(null, "state");
+        authorizeRestWebServiceValidator.validateRequestUriParameterSupported("", "state");
+    }
+
+    @Test
+    public void validateRequestUriParameterSupported_whenRequestUriSupportIsSwitchedOn_shouldPass() {
+        when(appConfiguration.getRequestUriParameterSupported()).thenReturn(true);
+
+        authorizeRestWebServiceValidator.validateRequestUriParameterSupported("https://rp.example.com", "state");
+    }
+
+    @Test(expectedExceptions = WebApplicationException.class)
+    public void validateRequestUriParameterSupported_whenRequestSupportIsSwitchedOff_shouldThrowException() {
+        when(appConfiguration.getRequestUriParameterSupported()).thenReturn(false);
+
+        authorizeRestWebServiceValidator.validateRequestUriParameterSupported("https://rp.example.com", "state");
+    }
+
     @Test
     public void isAuthnMaxAgeValid_whenMaxAgeIsZero_shouldReturnTrue() {
         assertTrue(authorizeRestWebServiceValidator.isAuthnMaxAgeValid(0, new SessionId(), new Client()));

diff --git a/docs/oxAuthSwagger.yaml b/docs/oxAuthSwagger.yaml
@@ -210,6 +210,8 @@ paths:
                       - session_selection_required
                       - consent_required
                       - user_mismatched
+                      - request_not_supported
+                      - request_uri_not_supported
                       - invalid_request_uri
                       - invalid_request_object
                       - authentication_session_invalid
@@ -348,6 +350,8 @@ paths:
                       - session_selection_required
                       - consent_required
                       - user_mismatched
+                      - request_not_supported
+                      - request_uri_not_supported
                       - invalid_request_uri
                       - invalid_request_object
                       - authentication_session_invalid