From f006ebe5e42bde04cba96c13f5b66a67d94ba3dd Mon Sep 17 00:00:00 2001
From: Olivier Dumont <olivier.dumont@gmail.com>
Date: Tue, 30 Dec 2025 12:40:01 +0100
Subject: [PATCH] Fix open redirect vulnerability in authorize endpoint
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Per OAuth 2.0 RFC 6749 §4.1.2.1, errors should NOT redirect to
unvalidated redirect_uri values. This fix:

- Returns JSON errors for failures before redirect_uri validation
  (missing parameters, invalid client)
- Only redirects to redirect_uri after it has been validated
  against registered client URIs
- Prevents open redirect attacks where malicious redirect_uri
  values could be used to redirect users to attacker-controlled sites
---
 internal/controller/oidc_controller.go | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/internal/controller/oidc_controller.go b/internal/controller/oidc_controller.go
index b4b5bfa..11a3732 100644
--- a/internal/controller/oidc_controller.go
+++ b/internal/controller/oidc_controller.go
@@ -82,21 +82,33 @@ func (controller *OIDCController) authorizeHandler(c *gin.Context) {
 	codeChallengeMethod := c.Query("code_challenge_method")
 
 	// Validate required parameters
+	// Return JSON error instead of redirecting since redirect_uri is not yet validated
 	if clientID == "" || redirectURI == "" || responseType == "" {
-		controller.redirectError(c, redirectURI, state, "invalid_request", "Missing required parameters")
+		c.JSON(http.StatusBadRequest, gin.H{
+			"error":             "invalid_request",
+			"error_description": "Missing required parameters",
+		})
 		return
 	}
 
 	// Get client
+	// Return JSON error instead of redirecting since redirect_uri is not yet validated
 	client, err := controller.oidc.GetClient(clientID)
 	if err != nil {
-		controller.redirectError(c, redirectURI, state, "invalid_client", "Client not found")
+		c.JSON(http.StatusBadRequest, gin.H{
+			"error":             "invalid_client",
+			"error_description": "Client not found",
+		})
 		return
 	}
 
 	// Validate redirect URI
+	// After this point, redirect_uri is validated and we can safely redirect
 	if !controller.oidc.ValidateRedirectURI(client, redirectURI) {
-		controller.redirectError(c, redirectURI, state, "invalid_request", "Invalid redirect_uri")
+		c.JSON(http.StatusBadRequest, gin.H{
+			"error":             "invalid_request",
+			"error_description": "Invalid redirect_uri",
+		})
 		return
 	}