diff --git a/openid/config_test.go b/openid/config_test.go index 6cd2cc9..d8a8158 100644 --- a/openid/config_test.go +++ b/openid/config_test.go @@ -15,5 +15,6 @@ func TestGenConfig(t *testing.T) { ScopesSupported: []string{"openid", "email"}, ClaimsSupported: []string{"name", "email", "preferred_username"}, GrantTypesSupported: []string{"authorization_code", "refresh_token"}, + JwksUri: "https://example.com/.well-known/jwks.json", }, GenConfig("https://example.com", []string{"openid", "email"}, []string{"name", "email", "preferred_username"})) } diff --git a/server/oauth.go b/server/oauth.go index 694e311..d3e161d 100644 --- a/server/oauth.go +++ b/server/oauth.go @@ -6,6 +6,7 @@ import ( "github.com/julienschmidt/httprouter" "net/http" "net/url" + "strings" ) func (h *HttpServer) authorizeEndpoint(rw http.ResponseWriter, req *http.Request, _ httprouter.Params, auth UserAuth) { @@ -32,13 +33,19 @@ func (h *HttpServer) authorizeEndpoint(rw http.ResponseWriter, req *http.Request } redirectUri := form.Get("redirect_uri") - if redirectUri != client.GetDomain() { + clientDomains := strings.Fields(client.GetDomain()) + allowedDomains := make(map[string]bool) + for _, i := range clientDomains { + allowedDomains[i] = true + } + + if !allowedDomains[redirectUri] { http.Error(rw, "Incorrect redirect URI", http.StatusBadRequest) return } if form.Has("cancel") { - uCancel, err := url.Parse(client.GetDomain()) + uCancel, err := url.Parse(redirectUri) if err != nil { http.Error(rw, "Invalid redirect URI", http.StatusBadRequest) return @@ -62,7 +69,7 @@ func (h *HttpServer) authorizeEndpoint(rw http.ResponseWriter, req *http.Request return case !isSSO && !isPost: // find application redirect domain and name - appUrlFull, err := url.Parse(client.GetDomain()) + appUrlFull, err := url.Parse(redirectUri) if err != nil { http.Error(rw, "500 Internal Server Error: Failed to parse application redirect URL", http.StatusInternalServerError) return