Interal URLs cannot be used as oauth provider #69

ivo-k · 2024-01-26T09:29:26Z

The default instance of UrlValidator prevents us to use intranet domain names, which are not compliant to url validator. For example dev.somewhere.local is invalid because of local is not valid TLD.

class SpringSecurityOAuth2Controller {
...
    def authenticate() {
        String providerName = params.provider
        if (StringUtils.isBlank(providerName)) {
            throw new OAuth2Exception("No provider defined")
        }
        log.debug "authenticate ${providerName}"
        String url = springSecurityOauth2BaseService.getAuthorizationUrl(providerName)
        log.debug "redirect url from s2oauthservice=${url}"

        //You cannot use internal/local urls because of this line
        if (!UrlValidator.instance.isValid(url)) {
            flash.message = "Authorization url for provider '${providerName}' is invalid."
            redirect(controller: 'login', action: 'index')
        }
        redirect(url: url)
    }
...

It is possible/reasonable to omit the validation or make it configurable e.g. by injecting the validator?

The text was updated successfully, but these errors were encountered:

ivo-k · 2024-11-18T14:02:00Z

Any news on this topic?

ivo-k mentioned this issue Jan 29, 2024

make url validation configurable #72

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Interal URLs cannot be used as oauth provider #69

Interal URLs cannot be used as oauth provider #69

ivo-k commented Jan 26, 2024

ivo-k commented Nov 18, 2024

Interal URLs cannot be used as oauth provider #69

Interal URLs cannot be used as oauth provider #69

Comments

ivo-k commented Jan 26, 2024

ivo-k commented Nov 18, 2024