From 90736bd813d341718a765944485b28d25a845b3d Mon Sep 17 00:00:00 2001 From: Avery-Dunn Date: Sun, 16 Apr 2023 15:44:34 -0700 Subject: [PATCH 1/3] Better error handling for redirect URIs --- .../aad/msal4j/InteractiveRequest.java | 42 +++++++++++-------- 1 file changed, 25 insertions(+), 17 deletions(-) diff --git a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/InteractiveRequest.java b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/InteractiveRequest.java index 93a6b462..f83cdcf3 100644 --- a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/InteractiveRequest.java +++ b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/InteractiveRequest.java @@ -10,6 +10,7 @@ import java.net.InetAddress; import java.net.URI; import java.net.URL; +import java.net.UnknownHostException; import java.security.SecureRandom; import java.util.Base64; import java.util.UUID; @@ -55,24 +56,31 @@ URL authorizationUrl() { } private void validateRedirectUrl(URI redirectUri) { + String host = redirectUri.getHost(); + String scheme = redirectUri.getScheme(); + InetAddress address; + + //Validate URI scheme. Only http is valid, as determined by the HttpListener created in AcquireTokenByInteractiveFlowSupplier.startHttpListener() + if (scheme == null || !scheme.equals("http")) { + throw new MsalClientException(String.format( + "Only http is supported for the redirect URI of an interactive request, but \"%s\" was found. For more information about redirect URI formats, see https://aka.ms/msal4j-interactive-request", scheme), + AuthenticationErrorCode.LOOPBACK_REDIRECT_URI); + } + + //Ensure that the given redirect URI has a known address try { - if (!InetAddress.getByName(redirectUri.getHost()).isLoopbackAddress()) { - throw new MsalClientException(String.format( - "Only loopback redirect uri is supported, but %s was found " + - "Configure http://localhost or http://localhost:port both during app registration" + - "and when you create the create the InteractiveRequestParameters object", redirectUri.getHost()), - AuthenticationErrorCode.LOOPBACK_REDIRECT_URI); - } - - if (!redirectUri.getScheme().equals("http")) { - throw new MsalClientException(String.format( - "Only http uri scheme is supported but %s was found. Configure http://localhost" + - "or http://localhost:port both during app registration and when you create" + - " the create the InteractiveRequestParameters object", redirectUri.toString()), - AuthenticationErrorCode.LOOPBACK_REDIRECT_URI); - } - } catch (Exception exception) { - throw new MsalClientException(exception); + address = InetAddress.getByName(host); + } catch (UnknownHostException e) { + throw new MsalClientException(String.format( + "Unknown host exception for host \"%s\". For more information about redirect URI formats, see https://aka.ms/msal4j-interactive-request", host), + AuthenticationErrorCode.LOOPBACK_REDIRECT_URI); + } + + //Ensure that the redirect URI is considered a loopback address + if (address == null || !address.isLoopbackAddress()) { + throw new MsalClientException( + "Only loopback redirect URI is supported for interactive requests. For more information about redirect URI formats, see https://aka.ms/msal4j-interactive-request", + AuthenticationErrorCode.LOOPBACK_REDIRECT_URI); } } From a76523e38110d1fd90cef5692b1d010a9bca7e65 Mon Sep 17 00:00:00 2001 From: Avery-Dunn Date: Sun, 16 Apr 2023 15:46:17 -0700 Subject: [PATCH 2/3] Update oauth2-oidc-sdk dependency --- msal4j-sdk/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/msal4j-sdk/pom.xml b/msal4j-sdk/pom.xml index fd646630..d7d6342c 100644 --- a/msal4j-sdk/pom.xml +++ b/msal4j-sdk/pom.xml @@ -36,7 +36,7 @@ com.nimbusds oauth2-oidc-sdk - 9.35 + 10.7.1 net.minidev From b49589e16bc0838d1ce4e1e90388c7c1a5716eb3 Mon Sep 17 00:00:00 2001 From: Avery-Dunn <62066438+Avery-Dunn@users.noreply.github.com> Date: Mon, 17 Apr 2023 08:52:20 -0700 Subject: [PATCH 3/3] Address review comments Co-authored-by: Bogdan Gavril --- .../main/java/com/microsoft/aad/msal4j/InteractiveRequest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/InteractiveRequest.java b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/InteractiveRequest.java index f83cdcf3..36149e2e 100644 --- a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/InteractiveRequest.java +++ b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/InteractiveRequest.java @@ -63,7 +63,7 @@ private void validateRedirectUrl(URI redirectUri) { //Validate URI scheme. Only http is valid, as determined by the HttpListener created in AcquireTokenByInteractiveFlowSupplier.startHttpListener() if (scheme == null || !scheme.equals("http")) { throw new MsalClientException(String.format( - "Only http is supported for the redirect URI of an interactive request, but \"%s\" was found. For more information about redirect URI formats, see https://aka.ms/msal4j-interactive-request", scheme), + "Only http://localhost or http://localhost:port is supported for the redirect URI of an interactive request using a browser, but \"%s\" was found. For more information about redirect URI formats, see https://aka.ms/msal4j-interactive-request", scheme), AuthenticationErrorCode.LOOPBACK_REDIRECT_URI); }