Skip to content

Commit 499701e

Browse files
hoseajzheaux
hosea
authored and
jzheaux
committed
Encode postLogoutRedirectUri query params
Now encodes already encoded queryparameters in postLogoutRedirectUrl correctly Closes gh-9511
1 parent 4d18d06 commit 499701e

File tree

2 files changed

+13
-2
lines changed

2 files changed

+13
-2
lines changed

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/web/logout/OidcClientInitiatedLogoutSuccessHandler.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -100,9 +100,9 @@ private URI postLogoutRedirectUri(HttpServletRequest request) {
100100
.replaceQuery(null)
101101
.fragment(null)
102102
.build();
103-
return UriComponentsBuilder.fromUriString(this.postLogoutRedirectUri)
103+
return URI.create (UriComponentsBuilder.fromUriString(this.postLogoutRedirectUri)
104104
.buildAndExpand(Collections.singletonMap("baseUrl", uriComponents.toUriString()))
105-
.toUri();
105+
.toUriString());
106106
// @formatter:on
107107
}
108108

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/web/logout/OidcClientInitiatedLogoutSuccessHandlerTests.java

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -138,6 +138,17 @@ public void logoutWhenUsingPostLogoutRedirectUriTemplateThenBuildsItForRedirect(
138138
"https://endpoint?" + "id_token_hint=id-token&" + "post_logout_redirect_uri=https://rp.example.org");
139139
}
140140

141+
@Test
142+
public void logoutWhenUsingPostLogoutRedirectUriWithQueryParametersThenBuildItForRedirectWithEncodedQueryParameters() throws IOException, ServletException {
143+
OAuth2AuthenticationToken token = new OAuth2AuthenticationToken(TestOidcUsers.create(),
144+
AuthorityUtils.NO_AUTHORITIES, this.registration.getRegistrationId());
145+
this.handler.setPostLogoutRedirectUri("https://rp.example.org/context?forwardUrl=secured%3Fparam%3Dtrue");
146+
this.request.setUserPrincipal(token);
147+
this.handler.onLogoutSuccess(this.request, this.response, token);
148+
assertThat(this.response.getRedirectedUrl()).isEqualTo(
149+
"https://endpoint?" + "id_token_hint=id-token&" + "post_logout_redirect_uri=https://rp.example.org/context?forwardUrl%3Dsecured%253Fparam%253Dtrue");
150+
}
151+
141152
@Test
142153
public void setPostLogoutRedirectUriWhenGivenNullThenThrowsException() {
143154
assertThatIllegalArgumentException().isThrownBy(() -> this.handler.setPostLogoutRedirectUri((URI) null));

0 commit comments

Comments
 (0)