Skip to content

JwtDecoders should support issuer hostnames containing underscores #15853

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Feb 20, 2025
Merged

JwtDecoders should support issuer hostnames containing underscores #15853

merged 3 commits into from
Feb 20, 2025

Conversation

bodograumann
Copy link
Contributor

Closes #15852

By using UriComponentsBuilder.fromUriString we stay in a single semantic context and do not loose information.

@pivotal-cla
Copy link

@bodograumann Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Sep 25, 2024
@pivotal-cla
Copy link

@bodograumann Thank you for signing the Contributor License Agreement!

jzheaux
jzheaux requested changes Sep 26, 2024
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR, @bodograumann! WIll you please also add a test for both servlet and reactive that show that this behavior is now repaired?

@jzheaux jzheaux self-assigned this Sep 26, 2024
@jzheaux jzheaux added type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Sep 26, 2024
@jzheaux
Copy link
Contributor

jzheaux commented Sep 26, 2024

Thinking about this more, while it may still be valuable for this PR to have these tests, it seems to me that @rstoyanchev is open to updating UriComponentsBuilder. I think it would be better to focus on addressing the issue in Framework first. Have you already considered submitting a PR there?

@bodograumann
Copy link
Contributor Author

True, fixing the underlying issue in UriComponentsBuilder would be preferrable, but I focused on what I could get done in limited time.
I'll try to look into adding a test, which will require somehow mocking the RestTemplate and maybe I'll also find time to understand the difference between authority and host enough to propose a solution for UriComponentsBuilder.

@rstoyanchev
Copy link
Contributor

rstoyanchev commented Sep 27, 2024
edited
Loading

The challenge with re-parsing the authority is having to extract the parsing logic out of the whole algorithm. Couldn't you re-parse the full URI string in fallback mode? Something like:

URI uri = URI.create(issuer);
if (uri.getHost() == null && getAuthority() != null) {
    uri = UriComponentsBuilder.fromUriString(issuer).build().toURI();
}

This would impact only such URI's, and minimize any potential disruption for all others.

@bodograumann
Copy link
Contributor Author

That makes sense @rstoyanchev .
Also I couldn't find a way to mock the RestTemplate here, so I create a PR for the spring framework: spring-projects/spring-framework#33614

@bodograumann bodograumann mentioned this pull request Sep 30, 2024
Closed
@bodograumann bodograumann force-pushed the fix-issuer-uri-handling-15852 branch from 4416beb to ec73062 Compare October 9, 2024 12:32
@bodograumann
Copy link
Contributor Author

The challenge with re-parsing the authority is having to extract the parsing logic out of the whole algorithm. Couldn't you re-parse the full URI string in fallback mode? Something like:

URI uri = URI.create(issuer);
if (uri.getHost() == null && getAuthority() != null) {
    uri = UriComponentsBuilder.fromUriString(issuer).build().toURI();
}

This would impact only such URI's, and minimize any potential disruption for all others.

Given that since spring-projects/spring-framework@bbb53d0 UriComponentsBuilder uses the RFC 3986 parser by default, we are here only switching from RFC 2396 to RFC 3986 URI parsing, not to WhatWG parsing anymore.
Do you still think the impact would be too great, @rstoyanchev ?

As for testing: Could I make the oidc, oidcRfc8414 and oauth methods package protected and test them directly? Testing anything involving getConfiguration and the RestTemplate seems unfeasible to me, when we want to vary the hostname.

@rstoyanchev
Copy link
Contributor

rstoyanchev commented Oct 9, 2024
edited
Loading

Given that since spring-projects/spring-framework@bbb53d0 UriComponentsBuilder uses the RFC 3986 parser by default, we are here only switching from RFC 2396 to RFC 3986 URI parsing, not to WhatWG parsing anymore.
Do you still think the impact would be too great, @rstoyanchev ?

The main difference is that UriComponentsBuilder supports URI template variable syntax. Apart from that, it's not possible to guarantee identical results, but parsing via UriComponentsBuilder#fromUriString should generally be aligned with java.net.URI. I will also add that java.net.URI was created quite a while back, and hasn't been updated much.

@jzheaux note that this is in reference to a new URI parser that's used in UriComponentsBuilder as of 6.2, see spring-projects/spring-framework#33639.

If you decide to go with this change, why not pass UriComponentsBuilder into the oidc methods, or perhaps just the raw String and call fromUriString within those?

@bodograumann
Copy link
Contributor Author

bodograumann commented Oct 9, 2024
edited
Loading

If you decide to go with this change, why not pass UriComponentsBuilder into the oidc methods, or perhaps just the raw String and call fromUriString within those?

Now I remember, that I tried doing something like that before, but oidc and the like call getPath(), so only having the builder is not enough unfortunately.

@jzheaux jzheaux added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement and removed type: bug A general bug labels Feb 20, 2025
@jzheaux jzheaux changed the title Avoid UriComponentsBuilder.fromUri JwtDecoders should support issuers with underscores in their hostname Feb 20, 2025
bodograumann and others added 3 commits February 20, 2025 15:57
@bodograumann @jzheaux
Avoid UriComponentsBuilder.fromUri
d716b86 
Closes spring-projectsgh-15852
@jzheaux
JwtDecoders Supports Hostnames with Underscores
571135d 
In the process of verifying spring-projectsgh-15852, another issue with URI was discovered.
This commit adds tests to the uri-computing methods and changes them to use
UriComponents instead of URI.

Issue spring-projectsgh-15852
@jzheaux
ClientRegistrations supports hostnames with underscores
49e5d37 
Issue spring-projectsgh-15852
@jzheaux jzheaux force-pushed the fix-issuer-uri-handling-15852 branch from ec73062 to 49e5d37 Compare February 20, 2025 22:57
@jzheaux jzheaux changed the title JwtDecoders should support issuers with underscores in their hostname JwtDecoders should support issuer hostnames containing underscores Feb 20, 2025
@jzheaux jzheaux added this to the 6.5.0-M3 milestone Feb 20, 2025
@jzheaux jzheaux merged commit b6c813c into spring-projects:main Feb 20, 2025
5 of 6 checks passed
@jzheaux
Copy link
Contributor

jzheaux commented Feb 20, 2025

Thanks for the PR, @bodograumann! And I'm sorry for the extended delay.

In my testing, I found another issue with using URI and so I've adjusted these classes and ClientRegistrations to not use it. You can see these efforts in 571135d and 49e5d37

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jzheaux jzheaux jzheaux requested changes

Assignees

@jzheaux jzheaux

Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Projects
Spring Security Team
Archived in project
Milestone
6.5.0-M3
Development

Successfully merging this pull request may close these issues.

JwtDecoderProviderConfigurationUtils incorrectly handles issuer URI
5 participants
@bodograumann @pivotal-cla @jzheaux @rstoyanchev @spring-projects-issues