Support ValidRedirectUrls

Author: denniskniep

CHANGELOG.md

@@ -9,6 +9,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+## [1.0.5] - 2026-03-15
+
+### Added
+
+- Support ValidRedirectUrls
+
 ## [1.0.4] - 2026-03-15
 
 ### Added

src/main/java/de/denniskniep/safed/common/config/FederationAppConfig.java

@@ -9,6 +9,7 @@
 public abstract class FederationAppConfig extends AppConfig {
     private String clientId;
     private URL redirectUrl;
+    private List<String> validRedirectUrls;
     private URL signInUrl;
     private List<ClaimConfig> claims = new ArrayList<>();
     private URL issuerId;
@@ -58,7 +59,6 @@ public void setClientId(String clientId) {
         this.clientId = clientId;
     }
 
-    // TODO: extract URI from request -> only validate provided with list of RedirectURIs
     public URL getRedirectUrl() {
         return redirectUrl;
     }
@@ -67,6 +67,14 @@ public void setRedirectUrl(URL redirectUrl) {
         this.redirectUrl = redirectUrl;
     }
 
+    public List<String> getValidRedirectUrls() {
+        return validRedirectUrls;
+    }
+
+    public void setValidRedirectUrls(List<String> validRedirectUrls) {
+        this.validRedirectUrls = validRedirectUrls;
+    }
+
     public URL getSignInUrl() {
         return signInUrl;
     }

src/main/java/de/denniskniep/safed/common/utils/RedirectUtils.java

@@ -0,0 +1,53 @@
+package de.denniskniep.safed.common.utils;
+
+import java.net.MalformedURLException;
+import java.net.URI;
+import java.net.URL;
+import java.util.List;
+
+public class RedirectUtils {
+
+    public static URL getValidRedirectUrl(String redirectUri, List<String> validRedirectUrls){
+        return getValidRedirectUrl(URI.create(redirectUri), validRedirectUrls);
+    }
+
+    public static URL getValidRedirectUrl(URI redirectUri, List<String> validRedirectUrls){
+        try {
+            URL redirectUrl = redirectUri.toURL();
+            String result = RedirectUtils.matchesRedirects(validRedirectUrls, redirectUri.toString(), true);
+            if(result != null){
+                return redirectUrl;
+            }
+            throw new RuntimeException("Redirect URI from request "+ redirectUri + " does not match one of the valid redirect URLs: " + String.join(", ", validRedirectUrls) );
+        } catch (MalformedURLException e) {
+            throw new RuntimeException("Redirect URI from request "+ redirectUri + " is malformed!", e);
+        }
+    }
+
+    public static String matchesRedirects(List<String> validRedirects, String redirect, boolean allowWildcards) {
+        for (String validRedirect : validRedirects) {
+            if ("*".equals(validRedirect)) {
+                // the valid redirect * is a full wildcard for http(s) even if the redirect URI does not allow wildcards
+                return validRedirect;
+            } else if (validRedirect.endsWith("*") && !validRedirect.contains("?") && allowWildcards) {
+                // strip off the query or fragment components - we don't check them when wildcards are effective
+                int idx = redirect.indexOf('?');
+                if (idx == -1) {
+                    idx = redirect.indexOf('#');
+                }
+                String r = idx == -1 ? redirect : redirect.substring(0, idx);
+                // strip off *
+                int length = validRedirect.length() - 1;
+                validRedirect = validRedirect.substring(0, length);
+                if (r.startsWith(validRedirect)) return validRedirect;
+                // strip off trailing '/'
+                if (length - 1 > 0 && validRedirect.charAt(length - 1) == '/') length--;
+                validRedirect = validRedirect.substring(0, length);
+                if (validRedirect.equals(r)) return validRedirect;
+            } else if (validRedirect.equals(redirect)){
+                return validRedirect;
+            }
+        }
+        return null;
+    }
+}

src/main/java/de/denniskniep/safed/common/verifications/TitleInfo.java

@@ -0,0 +1,28 @@
+package de.denniskniep.safed.common.verifications;
+
+import de.denniskniep.safed.common.scans.AuthResult;
+import de.denniskniep.safed.common.scans.ScanResultStatus;
+import org.springframework.stereotype.Service;
+
+import java.util.ArrayList;
+import java.util.List;
+
+@Service
+public class TitleInfo implements ScanResultVerificationStrategy {
+
+    @Override
+    public List<String> extractInfos(AuthResult scanAuthResult) {
+        if(scanAuthResult.getResponsePage().base64Screenshot() == null){
+            return new ArrayList<>();
+        }
+
+        return List.of(
+                "[INFO] Title: " + scanAuthResult.getResponsePage().title()
+        );
+    }
+
+    @Override
+    public VerificationResult evaluateScanResult(AuthResult firstPositiveAuthResult, AuthResult secondPositiveAuthResult, AuthResult scanAuthResult) {
+        return new VerificationResult(ScanResultStatus.OK, List.of());
+    }
+}

src/main/java/de/denniskniep/safed/oidc/auth/server/OidcFlow.java

@@ -3,6 +3,7 @@
 import de.denniskniep.safed.common.auth.browser.HttpRequest;
 import de.denniskniep.safed.common.config.ClaimConfig;
 import de.denniskniep.safed.common.utils.KeyProvider;
+import de.denniskniep.safed.common.utils.RedirectUtils;
 import de.denniskniep.safed.oidc.auth.browser.OidcAuthenticationRequest;
 import de.denniskniep.safed.oidc.auth.server.endpoints.TokenRequest;
 import de.denniskniep.safed.oidc.auth.server.endpoints.TokenResponse;
@@ -18,6 +19,7 @@
 import java.net.URI;
 import java.net.URISyntaxException;
 
+import java.net.URL;
 import java.time.Duration;
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
@@ -57,18 +59,25 @@ public HttpRequest buildWebRequest() {
             responseMode = "query";
         }
 
+        URL redirectUrl;
+        if(clientConfig.getRedirectUrl() != null) {
+            redirectUrl = clientConfig.getRedirectUrl();
+        } else{
+            redirectUrl = RedirectUtils.getValidRedirectUrl(requestData.getRedirectUri(), clientConfig.getValidRedirectUrls());
+        }
+
         if(StringUtils.equalsIgnoreCase(responseMode, "query")) {
-            URI uri = buildQuery(clientConfig.getRedirectUrl().toString(), params);
+            URI uri = buildQuery(redirectUrl.toString(), params);
             return new HttpRequest("GET", uri.toString());
         }
 
         if(StringUtils.equalsIgnoreCase(responseMode, "form_post")) {
-            URI uri = buildQuery(clientConfig.getRedirectUrl().toString());
+            URI uri = buildQuery(redirectUrl.toString());
             return new HttpRequest("POST", uri.toString(), params);
         }
 
         if(StringUtils.equalsIgnoreCase(responseMode, "fragment")) {
-            URI uri = buildQuery(clientConfig.getRedirectUrl().toString(), new HashedMap<>(), params);
+            URI uri = buildQuery(redirectUrl.toString(), new HashedMap<>(), params);
             return new HttpRequest("GET", uri.toString());
         }
 

src/main/java/de/denniskniep/safed/saml/auth/browser/SamlInitializationResult.java

@@ -35,6 +35,7 @@ public SamlRequestData asSamlRequestData() {
         SamlRequestData samlRequestData = new SamlRequestData();
         samlRequestData.setId(samlRequest.getID());
         samlRequestData.setRelayState(RelayState);
+        samlRequestData.setRedirectUri(samlRequest.getAssertionConsumerServiceURL());
         return samlRequestData;
     }
 }

src/main/java/de/denniskniep/safed/saml/auth/browser/SamlRequestData.java

@@ -1,8 +1,11 @@
 package de.denniskniep.safed.saml.auth.browser;
 
+import java.net.URI;
+
 public class SamlRequestData {
     private String id;
     private String relayState;
+    private URI redirectUri;
 
     public String getId() {
         return id;
@@ -19,4 +22,12 @@ public String getRelayState() {
     public void setRelayState(String relayState) {
         this.relayState = relayState;
     }
+
+    public URI getRedirectUri() {
+        return redirectUri;
+    }
+
+    public void setRedirectUri(URI redirectUri) {
+        this.redirectUri = redirectUri;
+    }
 }

src/main/java/de/denniskniep/safed/saml/auth/server/SamlResponseBuilder.java

@@ -1,6 +1,7 @@
 package de.denniskniep.safed.saml.auth.server;
 
 import de.denniskniep.safed.common.utils.KeyProvider;
+import de.denniskniep.safed.common.utils.RedirectUtils;
 import de.denniskniep.safed.saml.config.SamlAppConfig;
 import de.denniskniep.safed.saml.config.SamlAuthData;
 import de.denniskniep.safed.saml.auth.browser.SamlRequestData;
@@ -15,6 +16,7 @@
 import org.w3c.dom.Document;
 
 import java.net.URI;
+import java.net.URL;
 import java.security.PrivateKey;
 import java.security.PublicKey;
 
@@ -43,10 +45,17 @@ public SamlResponseResult create(SamlAppConfig clientConfig, SamlRequestData req
         // SamlProtocol.authenticated
         // SamlService.handleSamlRequest
 
+        URL redirectUrl;
+        if(clientConfig.getRedirectUrl() != null) {
+            redirectUrl = clientConfig.getRedirectUrl();
+        } else{
+            redirectUrl = RedirectUtils.getValidRedirectUrl(request.getRedirectUri(), clientConfig.getValidRedirectUrls());
+        }
+
         // Manipulate standard properties
         SAML2LoginResponseBuilder builder = new SAML2LoginResponseBuilder()
                 .requestID(request.getId()) // InResponseTo
-                .destination(clientConfig.getRedirectUrl().toExternalForm())
+                .destination(redirectUrl.toString())
                 .issuer(clientConfig.getIssuerId().toExternalForm())
                 .assertionExpiration(clientConfig.getAssertionLifespanInMinutes())
                 .subjectExpiration(clientConfig.getAssertionLifespanInMinutes())
@@ -133,7 +142,7 @@ public SamlResponseResult create(SamlAppConfig clientConfig, SamlRequestData req
             var postBindingBuilder = bindingBuilder.postBinding(samlDocument);
 
             //todo: Apply here XML Changes after signature!
-            return postBindingBuilder.createWebRequest(clientConfig.getRedirectUrl());
+            return postBindingBuilder.createWebRequest(redirectUrl);
         } catch (Exception e) {
             throw new RuntimeException("Can not build SAMLResponse", e);
         }

src/main/resources/application-dev.yaml

@@ -28,6 +28,15 @@ oidc:
       client-id: example-oidc-002-implicitflow
       sign-in-url: "http://localhost:8084/"
       redirect-url: "http://localhost:8084/oauth/implicit"
+    example-oidc-002-implicitflow-valid-redirect-uris:
+      issuer-id: http://keycloak:8080/realms/demo
+      issuer-endpoint-url: http://keycloak:8080/realms/demo/protocol/openid-connect/auth
+      signing-private-key-pem-file-path: "./dev/keycloak/signing_key.pem"
+      signing-x509-cert-pem-file-path: "./dev/keycloak/signing_cert.pem"
+      client-id: example-oidc-002-implicitflow
+      sign-in-url: "http://localhost:8084/"
+      valid-redirect-urls:
+        - "http://localhost:8084/*"
     grafana-oidc:
       issuer-id: http://keycloak:8080/realms/demo
       issuer-endpoint-url: http://keycloak:8080/realms/demo/protocol/openid-connect/auth
@@ -55,6 +64,23 @@ saml:
       sign-in-url: "http://localhost:8081/"
       redirect-url: "http://localhost:8081/login/saml2/sso/example-saml-001"
 
+    example-saml-001-valid-redirect-uris:
+      claims:
+        - name: "name"
+          values:
+            - "Pen Tester"
+        - name: "given_name"
+          values:
+            - "Tester"
+      issuer-id: http://keycloak:8080/realms/demo
+      issuer-endpoint-url: http://keycloak:8080/realms/demo/protocol/saml
+      signing-private-key-pem-file-path: "./dev/keycloak/signing_key.pem"
+      signing-x509-cert-pem-file-path: "./dev/keycloak/signing_cert.pem"
+      client-id: example-saml-001
+      sign-in-url: "http://localhost:8081/"
+      valid-redirect-urls:
+        - "http://localhost:8081/login/saml2/sso/*"
+
     example-saml-001-no-auto-redirect:
       claims:
         - name: "name"