From 499701e67aad4fdc71958f35a4a493cf07f3db0a Mon Sep 17 00:00:00 2001 From: Hans Hosea Schaefer Date: Thu, 22 Apr 2021 02:17:44 +0200 Subject: [PATCH] Encode postLogoutRedirectUri query params Now encodes already encoded queryparameters in postLogoutRedirectUrl correctly Closes gh-9511 --- .../OidcClientInitiatedLogoutSuccessHandler.java | 4 ++-- .../OidcClientInitiatedLogoutSuccessHandlerTests.java | 11 +++++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/web/logout/OidcClientInitiatedLogoutSuccessHandler.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/web/logout/OidcClientInitiatedLogoutSuccessHandler.java index 66abfe60d4f..0fb6f28627b 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/web/logout/OidcClientInitiatedLogoutSuccessHandler.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/web/logout/OidcClientInitiatedLogoutSuccessHandler.java @@ -100,9 +100,9 @@ private URI postLogoutRedirectUri(HttpServletRequest request) { .replaceQuery(null) .fragment(null) .build(); - return UriComponentsBuilder.fromUriString(this.postLogoutRedirectUri) + return URI.create (UriComponentsBuilder.fromUriString(this.postLogoutRedirectUri) .buildAndExpand(Collections.singletonMap("baseUrl", uriComponents.toUriString())) - .toUri(); + .toUriString()); // @formatter:on } diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/web/logout/OidcClientInitiatedLogoutSuccessHandlerTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/web/logout/OidcClientInitiatedLogoutSuccessHandlerTests.java index 757ebd03b24..f33308f76cf 100644 --- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/web/logout/OidcClientInitiatedLogoutSuccessHandlerTests.java +++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/web/logout/OidcClientInitiatedLogoutSuccessHandlerTests.java @@ -138,6 +138,17 @@ public void logoutWhenUsingPostLogoutRedirectUriTemplateThenBuildsItForRedirect( "https://endpoint?" + "id_token_hint=id-token&" + "post_logout_redirect_uri=https://rp.example.org"); } + @Test + public void logoutWhenUsingPostLogoutRedirectUriWithQueryParametersThenBuildItForRedirectWithEncodedQueryParameters() throws IOException, ServletException { + OAuth2AuthenticationToken token = new OAuth2AuthenticationToken(TestOidcUsers.create(), + AuthorityUtils.NO_AUTHORITIES, this.registration.getRegistrationId()); + this.handler.setPostLogoutRedirectUri("https://rp.example.org/context?forwardUrl=secured%3Fparam%3Dtrue"); + this.request.setUserPrincipal(token); + this.handler.onLogoutSuccess(this.request, this.response, token); + assertThat(this.response.getRedirectedUrl()).isEqualTo( + "https://endpoint?" + "id_token_hint=id-token&" + "post_logout_redirect_uri=https://rp.example.org/context?forwardUrl%3Dsecured%253Fparam%253Dtrue"); + } + @Test public void setPostLogoutRedirectUriWhenGivenNullThenThrowsException() { assertThatIllegalArgumentException().isThrownBy(() -> this.handler.setPostLogoutRedirectUri((URI) null));