diff --git a/internal/oidc/provider/federation_domain_issuer.go b/internal/oidc/provider/federation_domain_issuer.go index a5f19f8c..2cd04e8a 100644 --- a/internal/oidc/provider/federation_domain_issuer.go +++ b/internal/oidc/provider/federation_domain_issuer.go @@ -44,6 +44,10 @@ func (p *FederationDomainIssuer) validate() error { return constable.Error(`issuer must have "https" scheme`) } + if issuerURL.Hostname() == "" { + return constable.Error(`issuer must have a hostname`) + } + if issuerURL.User != nil { return constable.Error(`issuer must not have username or password`) } diff --git a/internal/oidc/provider/federation_domain_issuer_test.go b/internal/oidc/provider/federation_domain_issuer_test.go index 4f7c06e9..7f10dd33 100644 --- a/internal/oidc/provider/federation_domain_issuer_test.go +++ b/internal/oidc/provider/federation_domain_issuer_test.go @@ -1,4 +1,4 @@ -// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package provider @@ -20,6 +20,16 @@ func TestFederationDomainIssuerValidations(t *testing.T) { issuer: "", wantError: "federation domain must have an issuer", }, + { + name: "returns url.Parse errors", + issuer: "https://example.com" + string(byte(0x7f)), + wantError: "could not parse issuer as URL: parse \"https://example.com\\x7f\": net/url: invalid control character in URL", + }, + { + name: "no hostname", + issuer: "https://", + wantError: `issuer must have a hostname`, + }, { name: "no scheme", issuer: "tuna.com",