for oidc redirect uri check both configured endpoint and auto-generat…

…ed value (#2167)

Signed-off-by: Henry Avetisyan <[email protected]>
Co-authored-by: Henry Avetisyan <[email protected]>

servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java

@@ -2202,8 +2202,8 @@ boolean validateOidcRedirectUri(DomainData domainData, final String clientId, fi
             return false;
         }
         final String serviceEndpoint = service.getProviderEndpoint();
-        if (!StringUtil.isEmpty(serviceEndpoint)) {
-            return serviceEndpoint.equalsIgnoreCase(redirectUri);
+        if (!StringUtil.isEmpty(serviceEndpoint) && serviceEndpoint.equalsIgnoreCase(redirectUri)) {
+            return true;
         }
 
         // make sure we have a redirect uri suffix configured

servers/zts/src/test/java/com/yahoo/athenz/zts/ZTSImplTest.java

@@ -13289,10 +13289,11 @@ public void testExtractServiceEndpoint() {
 
         domainData.setServices(services);
 
-        // service endpoint exists - both valid and invalid cases
+        // service endpoint exists - both valid and invalid cases (no redirect suffix)
 
         assertTrue(zts.validateOidcRedirectUri(domainData, "coretech.backend", "https://localhost:4443/endpoint"));
         assertFalse(zts.validateOidcRedirectUri(domainData, "coretech.backend", "https://api.coretech.athenz.io"));
+        assertFalse(zts.validateOidcRedirectUri(domainData, "coretech.backend", "https://backend.coretech.athenz.io"));
 
         // valid service but no redirect uri suffix
 
@@ -13302,6 +13303,10 @@ public void testExtractServiceEndpoint() {
 
         zts.redirectUriSuffix = ".athenz.io";
 
+        // the service with the endpoint set now should pass with redirect suffix
+
+        assertTrue(zts.validateOidcRedirectUri(domainData, "coretech.backend", "https://backend.coretech.athenz.io"));
+
         // invalid client id
 
         assertFalse(zts.validateOidcRedirectUri(domainData, "coretech", "https://api.coretech.athenz.io"));