Forbid URIs with fragments

src/axum_lib.rs

@@ -47,6 +47,9 @@ impl IntoResponse for CustomError {
             CustomError::BadRequest(_) => {
                 (StatusCode::BAD_REQUEST, self.to_string()).into_response()
             }
+            CustomError::BadRequestRegister(e) => {
+                (StatusCode::BAD_REQUEST, Json::from(e)).into_response()
+            }
             CustomError::BadRequestToken(e) => {
                 (StatusCode::BAD_REQUEST, Json::from(e)).into_response()
             }

src/oidc.rs

@@ -8,9 +8,9 @@ use openidconnect::{
         CoreAuthErrorResponseType, CoreAuthPrompt, CoreClaimName, CoreClientAuthMethod,
         CoreClientMetadata, CoreClientRegistrationResponse, CoreErrorResponseType, CoreGrantType,
         CoreIdToken, CoreIdTokenClaims, CoreIdTokenFields, CoreJsonWebKeySet,
-        CoreJwsSigningAlgorithm, CoreProviderMetadata, CoreResponseType, CoreRsaPrivateSigningKey,
+        CoreJwsSigningAlgorithm, CoreProviderMetadata, CoreRegisterErrorResponseType,
-        CoreSubjectIdentifierType, CoreTokenResponse, CoreTokenType, CoreUserInfoClaims,
+        CoreResponseType, CoreRsaPrivateSigningKey, CoreSubjectIdentifierType, CoreTokenResponse,
-        CoreUserInfoJsonWebToken,
+        CoreTokenType, CoreUserInfoClaims, CoreUserInfoJsonWebToken,
     },
     registration::{EmptyAdditionalClientMetadata, EmptyAdditionalClientRegistrationResponse},
     url::Url,
@@ -60,6 +60,8 @@ pub enum CustomError {
     #[error("{0}")]
     BadRequest(String),
     #[error("{0:?}")]
+    BadRequestRegister(RegisterError),
+    #[error("{0:?}")]
     BadRequestToken(TokenError),
     #[error("{0}")]
     Unauthorized(String),
@@ -479,6 +481,11 @@ pub async fn sign_in(
     Ok(url)
 }
 
+#[derive(Debug, Serialize)]
+pub struct RegisterError {
+    error: CoreRegisterErrorResponseType,
+}
+
 pub async fn register(
     payload: CoreClientMetadata,
     db_client: &DBClientType,
@@ -487,6 +494,13 @@ pub async fn register(
     let secret = Uuid::new_v4();
 
     let redirect_uris = payload.redirect_uris().to_vec();
+    for uri in redirect_uris.iter() {
+        if uri.url().fragment().is_some() {
+            return Err(CustomError::BadRequestRegister(RegisterError {
+                error: CoreRegisterErrorResponseType::InvalidRedirectUri,
+            }));
+        }
+    }
 
     let entry = ClientEntry {
         secret: secret.to_string(),

src/worker_lib.rs

@@ -22,6 +22,9 @@ impl From<CustomError> for Result<Response> {
     fn from(error: CustomError) -> Self {
         match error {
             CustomError::BadRequest(_) => Response::error(&error.to_string(), 400),
+            CustomError::BadRequestRegister(e) => {
+                Response::from_json(&e).map(|r| r.with_status(400))
+            }
             CustomError::BadRequestToken(e) => Response::from_json(&e).map(|r| r.with_status(400)),
             CustomError::Unauthorized(_) => Response::error(&error.to_string(), 401),
             CustomError::Redirect(uri) => Response::redirect(uri.parse().unwrap()),