feat(oauth2): preserve query params and fragments in redirect URL, support legacy redirect URL

Signed-off-by: Julien Veyssier <julien-nc@posteo.net>

Author: julien-nc

apps/oauth2/lib/Controller/LoginRedirectorController.php

@@ -30,6 +30,7 @@
 #[OpenAPI(scope: OpenAPI::SCOPE_DEFAULT)]
 class LoginRedirectorController extends Controller {
 	private const PKCE_STRING_PATTERN = '/^[A-Za-z0-9._~-]{43,128}$/';
+	private const LEGACY_LOCALHOST_REDIRECT_PATTERN = '/^http:\/\/localhost:[0-9]+$/';
 
 	/**
 	 * @param string $appName
@@ -53,6 +54,38 @@ public function __construct(
 		parent::__construct($appName, $request);
 	}
 
+	private function buildErrorRedirectResponse(
+		string $registeredRedirectUri,
+		string $providedRedirectUri,
+		string $error,
+		string $state,
+		?string $errorDescription = null,
+	): RedirectResponse {
+		$redirectUri = $registeredRedirectUri;
+		$enableOcClients = $this->config->getSystemValueBool('oauth2.enable_oc_clients', false);
+		if ($enableOcClients && $redirectUri === 'http://localhost:*' && preg_match(self::LEGACY_LOCALHOST_REDIRECT_PATTERN, $providedRedirectUri) === 1) {
+			$redirectUri = $providedRedirectUri;
+		}
+
+		$fragment = '';
+		$fragmentPosition = strpos($redirectUri, '#');
+		if ($fragmentPosition !== false) {
+			$fragment = substr($redirectUri, $fragmentPosition);
+			$redirectUri = substr($redirectUri, 0, $fragmentPosition);
+		}
+
+		$params = [
+			'error' => $error,
+		];
+		if ($errorDescription !== null) {
+			$params['error_description'] = $errorDescription;
+		}
+		$params['state'] = $state;
+
+		$separator = str_contains($redirectUri, '?') ? '&' : '?';
+		return new RedirectResponse($redirectUri . $separator . http_build_query($params) . $fragment);
+	}
+
 	/**
 	 * Authorize the user
 	 *
@@ -86,27 +119,22 @@ public function authorize($client_id,
 		}
 
 		if ($response_type !== 'code') {
-			//Fail
-			$url = $client->getRedirectUri() . '?error=unsupported_response_type&state=' . \urlencode($state);
-			return new RedirectResponse($url);
+			return $this->buildErrorRedirectResponse($client->getRedirectUri(), $redirect_uri, 'unsupported_response_type', $state);
 		}
 
 		if ($code_challenge === '' && $code_challenge_method !== '') {
-			$url = $client->getRedirectUri() . '?error=invalid_request&error_description=code_challenge+required&state=' . \urlencode($state);
-			return new RedirectResponse($url);
+			return $this->buildErrorRedirectResponse($client->getRedirectUri(), $redirect_uri, 'invalid_request', $state, 'code_challenge required');
 		}
 
 		if ($code_challenge !== '' && preg_match(self::PKCE_STRING_PATTERN, $code_challenge) !== 1) {
-			$url = $client->getRedirectUri() . '?error=invalid_request&error_description=Invalid+code_challenge&state=' . \urlencode($state);
-			return new RedirectResponse($url);
+			return $this->buildErrorRedirectResponse($client->getRedirectUri(), $redirect_uri, 'invalid_request', $state, 'Invalid code_challenge');
 		}
 
 		$effectiveCodeChallengeMethod = $code_challenge_method === '' && $code_challenge !== ''
 			? 'plain'
 			: $code_challenge_method;
 		if ($effectiveCodeChallengeMethod !== '' && $effectiveCodeChallengeMethod !== 'S256') {
-			$url = $client->getRedirectUri() . '?error=invalid_request&error_description=Transform+algorithm+not+supported&state=' . \urlencode($state);
-			return new RedirectResponse($url);
+			return $this->buildErrorRedirectResponse($client->getRedirectUri(), $redirect_uri, 'invalid_request', $state, 'Transform algorithm not supported');
 		}
 
 		$enableOcClients = $this->config->getSystemValueBool('oauth2.enable_oc_clients', false);

apps/oauth2/tests/Controller/LoginRedirectorControllerTest.php

@@ -176,6 +176,28 @@ public function testAuthorizeWrongResponseType(): void {
 		$this->assertEquals($expected, $this->loginRedirectorController->authorize('MyClientId', 'MyState', 'wrongcode'));
 	}
 
+	public function testAuthorizeWrongResponseTypePreservesExistingQuery(): void {
+		$client = new Client();
+		$client->setClientIdentifier('MyClientIdentifier');
+		$client->setRedirectUri('http://foo.bar?hello=world');
+		$this->clientMapper
+			->expects($this->once())
+			->method('getByIdentifier')
+			->with('MyClientId')
+			->willReturn($client);
+		$this->session
+			->expects($this->never())
+			->method('set');
+		$this->config
+			->expects($this->once())
+			->method('getSystemValueBool')
+			->with('oauth2.enable_oc_clients', false)
+			->willReturn(false);
+
+		$expected = new RedirectResponse('http://foo.bar?hello=world&error=unsupported_response_type&state=MyState');
+		$this->assertEquals($expected, $this->loginRedirectorController->authorize('MyClientId', 'MyState', 'wrongcode'));
+	}
+
 	public function testAuthorizeRejectsCodeChallengeMethodWithoutChallenge(): void {
 		$client = new Client();
 		$client->setClientIdentifier('MyClientIdentifier');
@@ -207,10 +229,38 @@ public function testAuthorizeRejectsPkceWithoutMethodBecausePlainIsUnsupported()
 			->method('set');
 
 		$codeChallenge = str_repeat('a', 43);
+		$this->config
+			->expects($this->once())
+			->method('getSystemValueBool')
+			->with('oauth2.enable_oc_clients', false)
+			->willReturn(false);
 		$expected = new RedirectResponse('http://foo.bar?error=invalid_request&error_description=Transform+algorithm+not+supported&state=MyState');
 		$this->assertEquals($expected, $this->loginRedirectorController->authorize('MyClientId', 'MyState', 'code', '', $codeChallenge));
 	}
 
+	public function testAuthorizeRejectsPkceWithoutMethodForLegacyOcClientUsingProvidedRedirectUri(): void {
+		$client = new Client();
+		$client->setClientIdentifier('MyClientIdentifier');
+		$client->setRedirectUri('http://localhost:*');
+		$this->clientMapper
+			->expects($this->once())
+			->method('getByIdentifier')
+			->with('MyClientId')
+			->willReturn($client);
+		$this->session
+			->expects($this->never())
+			->method('set');
+		$this->config
+			->expects($this->once())
+			->method('getSystemValueBool')
+			->with('oauth2.enable_oc_clients', false)
+			->willReturn(true);
+
+		$codeChallenge = str_repeat('a', 43);
+		$expected = new RedirectResponse('http://localhost:30000?error=invalid_request&error_description=Transform+algorithm+not+supported&state=MyState');
+		$this->assertEquals($expected, $this->loginRedirectorController->authorize('MyClientId', 'MyState', 'code', 'http://localhost:30000', $codeChallenge));
+	}
+
 	public function testAuthorizeRejectsUnsupportedCodeChallengeMethod(): void {
 		$client = new Client();
 		$client->setClientIdentifier('MyClientIdentifier');
@@ -225,6 +275,11 @@ public function testAuthorizeRejectsUnsupportedCodeChallengeMethod(): void {
 			->method('set');
 
 		$codeChallenge = str_repeat('a', 43);
+		$this->config
+			->expects($this->once())
+			->method('getSystemValueBool')
+			->with('oauth2.enable_oc_clients', false)
+			->willReturn(false);
 		$expected = new RedirectResponse('http://foo.bar?error=invalid_request&error_description=Transform+algorithm+not+supported&state=MyState');
 		$this->assertEquals($expected, $this->loginRedirectorController->authorize('MyClientId', 'MyState', 'code', '', $codeChallenge, 'plain'));
 	}
@@ -241,6 +296,11 @@ public function testAuthorizeRejectsInvalidCodeChallengeFormat(): void {
 		$this->session
 			->expects($this->never())
 			->method('set');
+		$this->config
+			->expects($this->once())
+			->method('getSystemValueBool')
+			->with('oauth2.enable_oc_clients', false)
+			->willReturn(false);
 
 		$expected = new RedirectResponse('http://foo.bar?error=invalid_request&error_description=Invalid+code_challenge&state=MyState');
 		$this->assertEquals($expected, $this->loginRedirectorController->authorize('MyClientId', 'MyState', 'code', '', 'short', 'S256'));

core/Controller/ClientFlowLoginController.php

@@ -324,6 +324,13 @@ public function generateAppPassword(
 				$redirectUri = $providedRedirectUri;
 			}
 
+			$fragment = '';
+			$fragmentPosition = strpos($redirectUri, '#');
+			if ($fragmentPosition !== false) {
+				$fragment = substr($redirectUri, $fragmentPosition);
+				$redirectUri = substr($redirectUri, 0, $fragmentPosition);
+			}
+
 			if (parse_url($redirectUri, PHP_URL_QUERY)) {
 				$redirectUri .= '&';
 			} else {
@@ -335,6 +342,7 @@ public function generateAppPassword(
 				urlencode($this->session->get('oauth.state')),
 				urlencode($code)
 			);
+			$redirectUri .= $fragment;
 			$this->session->remove('oauth.state');
 		} else {
 			$redirectUri = 'nc://login/server:' . $this->getServerPath() . '&user:' . urlencode($loginName) . '&password:' . urlencode($token);

tests/Core/Controller/ClientFlowLoginControllerTest.php

@@ -14,8 +14,8 @@
 use OC\Authentication\Token\IProvider;
 use OC\Authentication\Token\IToken;
 use OC\Core\Controller\ClientFlowLoginController;
-use OCA\OAuth2\Db\AccessTokenMapper;
 use OCA\OAuth2\Db\AccessToken;
+use OCA\OAuth2\Db\AccessTokenMapper;
 use OCA\OAuth2\Db\Client;
 use OCA\OAuth2\Db\ClientMapper;
 use OCP\AppFramework\Http;
@@ -423,6 +423,8 @@ public function testGeneratePasswordWithPassword(): void {
 	 * @testWith
 	 * ["https://example.com/redirect.php", "https://example.com/redirect.php?state=MyOauthState&code=MyAccessCode"]
 	 * ["https://example.com/redirect.php?hello=world", "https://example.com/redirect.php?hello=world&state=MyOauthState&code=MyAccessCode"]
+	 * ["https://example.com/redirect.php#target", "https://example.com/redirect.php?state=MyOauthState&code=MyAccessCode#target"]
+	 * ["https://example.com/redirect.php?hello=world#target", "https://example.com/redirect.php?hello=world&state=MyOauthState&code=MyAccessCode#target"]
 	 *
 	 */
 	public function testGeneratePasswordWithPasswordForOauthClient($redirectUri, $redirectUrl): void {