Fix URI composition for relative Issuer URIs without a trailing slash (…

…#285) (#286)
erlef · Nov 17, 2023 · 71896a0 · 71896a0
1 parent 1a45cfe
commit 71896a0
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 1 deletion.
diff --git a/src/oidcc_provider_configuration.erl b/src/oidcc_provider_configuration.erl
@@ -196,7 +196,7 @@ load_configuration(Issuer0, Opts) ->
     TelemetryOpts = #{topic => [oidcc, load_configuration], extra_meta => #{issuer => Issuer}},
     RequestOpts = maps:get(request_opts, Opts, #{}),
 
-    RequestUrl = uri_string:resolve(".well-known/openid-configuration", Issuer),
+    RequestUrl = url_join(".well-known/openid-configuration", Issuer),
     Request = {RequestUrl, []},
 
     Quirks = maps:get(quirks, Opts, #{}),
@@ -609,3 +609,12 @@ parse_claim_types_supported(Setting, Field) ->
                 error
         end
     ).
+
+-spec url_join(RefURI :: uri_string:uri_string(), BaseURI :: uri_string:uri_string()) ->
+    uri_string:uri_string().
+url_join(RefURI, BaseURI) ->
+    BaseURIBinary = iolist_to_binary(BaseURI),
+    case binary_part(BaseURIBinary, byte_size(BaseURIBinary) - 1, 1) of
+        <<"/">> -> uri_string:resolve(RefURI, BaseURI);
+        _ -> uri_string:resolve(RefURI, [BaseURI, "/"])
+    end.
diff --git a/test/oidcc_provider_configuration_test.erl b/test/oidcc_provider_configuration_test.erl
@@ -576,6 +576,52 @@ allow_unsafe_http_quirk_test() ->
 
     ok.
 
+uri_concatenation_test() ->
+    ok = meck:new(httpc, [no_link]),
+    HttpFun =
+        fun(get, {ReqEndpoint, _Header}, _HttpOpts, _Opts) ->
+            self() ! {req, ReqEndpoint},
+
+            {ok, {{"HTTP/1.1", 501, "Not Implemented"}, [], ""}}
+        end,
+    ok = meck:expect(httpc, request, HttpFun),
+
+    oidcc_provider_configuration:load_configuration("https://example.com"),
+
+    receive
+        {req, "https://example.com/.well-known/openid-configuration"} -> ok
+    after 0 ->
+        ct:fail(timeout_receive_attach_event_handlers)
+    end,
+
+    oidcc_provider_configuration:load_configuration("https://example.com/"),
+
+    receive
+        {req, "https://example.com/.well-known/openid-configuration"} -> ok
+    after 0 ->
+        ct:fail(timeout_receive_attach_event_handlers)
+    end,
+
+    oidcc_provider_configuration:load_configuration("https://example.com/realm"),
+
+    receive
+        {req, "https://example.com/realm/.well-known/openid-configuration"} -> ok
+    after 0 ->
+        ct:fail(timeout_receive_attach_event_handlers)
+    end,
+
+    oidcc_provider_configuration:load_configuration("https://example.com/realm/"),
+
+    receive
+        {req, "https://example.com/realm/.well-known/openid-configuration"} -> ok
+    after 0 ->
+        ct:fail(timeout_receive_attach_event_handlers)
+    end,
+
+    meck:unload(httpc),
+
+    ok.
+
 google_merge_json(Merge) ->
     PrivDir = code:priv_dir(oidcc),
     {ok, ValidConfigString} = file:read_file(PrivDir ++ "/test/fixtures/google-metadata.json"),