Thanks to visit codestin.com
Credit goes to Github.com

Skip to content

Executor for client uris pattern validation #46300

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
graziang wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Executor for client uris pattern validation #46300

graziang wants to merge 1 commit into from

Conversation

@graziang
Copy link
Contributor

@graziang graziang commented Feb 12, 2026

Closes #45645
Closes #45694

Instead of extending SecureClientUrisExecutor, I introduced a new executor to provide fully configurable client URIs validation.

I did not extend SecureClientUrisExecutor because it already enforces HTTPS and disallows wildcards.
There is a need to trust specific domains to mitigate SSRF on the JWKS URI (see discussion on #45645) and the same for bad adminUrl values #45694 and changing the behavior of SecureClientUrisExecutor while preserving backward compatibility would have been a bit forced.

The new executor SecureClientUrisPatternExecutor allows configuring:

  • A list of allowed regex patterns.

  • A list of client URI field to which those patterns should be applied.

Configuration may be more complex, but it is very flexible to cover all the cases of validation of any uri field of the client.

Added dedicated tests and documentation.

@graziang graziang requested review from a team as code owners February 12, 2026 21:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

team/cloud-native team/core-clients team/core-iam

Projects

None yet

Milestone

No milestone

1 participant

@graziang