From 04f3509c00f0eeda160ee8955c38fb11ebdab646 Mon Sep 17 00:00:00 2001
From: Henry Avetisyan <havetisy@yahoo.com>
Date: Tue, 9 May 2023 14:42:47 -0700
Subject: [PATCH] for oidc redirect uri check both configured endpoint and
 auto-generated value (#2167)

Signed-off-by: Henry Avetisyan <hga@yahooinc.com>
Co-authored-by: Henry Avetisyan <hga@yahooinc.com>
---
 .../zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java    | 4 ++--
 .../src/test/java/com/yahoo/athenz/zts/ZTSImplTest.java    | 7 ++++++-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java
index c1efe1c97a7..1677dc8652d 100644
--- a/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java
+++ b/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java
@@ -2202,8 +2202,8 @@ boolean validateOidcRedirectUri(DomainData domainData, final String clientId, fi
             return false;
         }
         final String serviceEndpoint = service.getProviderEndpoint();
-        if (!StringUtil.isEmpty(serviceEndpoint)) {
-            return serviceEndpoint.equalsIgnoreCase(redirectUri);
+        if (!StringUtil.isEmpty(serviceEndpoint) && serviceEndpoint.equalsIgnoreCase(redirectUri)) {
+            return true;
         }
 
         // make sure we have a redirect uri suffix configured
diff --git a/servers/zts/src/test/java/com/yahoo/athenz/zts/ZTSImplTest.java b/servers/zts/src/test/java/com/yahoo/athenz/zts/ZTSImplTest.java
index 0043fa57dba..84cf6822ab8 100644
--- a/servers/zts/src/test/java/com/yahoo/athenz/zts/ZTSImplTest.java
+++ b/servers/zts/src/test/java/com/yahoo/athenz/zts/ZTSImplTest.java
@@ -13289,10 +13289,11 @@ public void testExtractServiceEndpoint() {
 
         domainData.setServices(services);
 
-        // service endpoint exists - both valid and invalid cases
+        // service endpoint exists - both valid and invalid cases (no redirect suffix)
 
         assertTrue(zts.validateOidcRedirectUri(domainData, "coretech.backend", "https://localhost:4443/endpoint"));
         assertFalse(zts.validateOidcRedirectUri(domainData, "coretech.backend", "https://api.coretech.athenz.io"));
+        assertFalse(zts.validateOidcRedirectUri(domainData, "coretech.backend", "https://backend.coretech.athenz.io"));
 
         // valid service but no redirect uri suffix
 
@@ -13302,6 +13303,10 @@ public void testExtractServiceEndpoint() {
 
         zts.redirectUriSuffix = ".athenz.io";
 
+        // the service with the endpoint set now should pass with redirect suffix
+
+        assertTrue(zts.validateOidcRedirectUri(domainData, "coretech.backend", "https://backend.coretech.athenz.io"));
+
         // invalid client id
 
         assertFalse(zts.validateOidcRedirectUri(domainData, "coretech", "https://api.coretech.athenz.io"));