Fix MSC2966 compliance around redirect_uri validity (#4529)

sandhose · web-flow · commit 7309d1e6280a · 2025-05-09T09:22:24.000+02:00
diff --git a/policies/client_registration/client_registration.rego b/policies/client_registration/client_registration.rego
@@ -13,7 +13,7 @@ allow if {
 
 parse_uri(url) := obj if {
 	is_string(url)
-	url_regex := `^(?P<scheme>[a-z][a-z0-9+.-]*):(?://(?P<host>((?:(?:[a-z0-9]|[a-z0-9][a-z0-9-]*[a-z0-9])\.)*(?:[a-z0-9]|[a-z0-9][a-z0-9-]*[a-z0-9])|127.0.0.1|0.0.0.0|\[::1\])(?::(?P<port>[0-9]+))?))?(?P<path>/[A-Za-z0-9/.-]*)$`
+	url_regex := `^(?P<scheme>[a-z][a-z0-9+.-]*):(?://(?P<host>((?:(?:[a-z0-9]|[a-z0-9][a-z0-9-]*[a-z0-9])\.)*(?:[a-z0-9]|[a-z0-9][a-z0-9-]*[a-z0-9])|127.0.0.1|0.0.0.0|\[::1\])(?::(?P<port>[0-9]+))?))?(?P<path>/[A-Za-z0-9/.-]*)?(?P<query>\?[A-Za-z0-9/.-=]*)?$`
 	[matches] := regex.find_all_string_submatch_n(url_regex, url, 1)
 	obj := {"scheme": matches[1], "authority": matches[2], "host": matches[3], "port": matches[4], "path": matches[5]}
 }
@@ -31,9 +31,6 @@ secure_url(x) if {
 	url.host != "127.0.0.1"
 	url.host != "0.0.0.0"
 	url.host != "[::1]"
-
-	# Must be standard port for HTTPS
-	url.port == ""
 }
 
 host_matches_client_uri(_) if {
diff --git a/policies/client_registration/client_registration_test.rego b/policies/client_registration/client_registration_test.rego
@@ -212,7 +212,14 @@ test_web_redirect_uri if {
 	client_registration.allow with input.client_metadata as {
 		"application_type": "web",
 		"client_uri": "https://example.com/",
-		"redirect_uris": ["https://example.com/second/callback", "https://example.com/callback"],
+		"redirect_uris": ["https://example.com/second/callback", "https://example.com/callback", "https://example.com/callback?query=value"],
+	}
+
+	# HTTPS redirect_uri with non-standard port
+	client_registration.allow with input.client_metadata as {
+		"application_type": "web",
+		"client_uri": "https://example.com/",
+		"redirect_uris": ["https://example.com:8443/callback"],
 	}
 }
 
@@ -289,6 +296,14 @@ test_web_redirect_uri_localhost_not_allowed if {
 	}
 }
 
+test_web_redirect_uri_with_query if {
+	client_registration.allow with input.client_metadata as {
+		"application_type": "web",
+		"client_uri": "https://example.com/",
+		"redirect_uris": ["https://example.com/callback?query=value", "https://example.com?query=value"],
+	}
+}
+
 test_native_redirect_uri_allowed if {
 	# This has all the redirect URIs types we're supporting for native apps
 	client_registration.allow with input.client_metadata as {
