Summary
We are changing the default value of uaa.client.redirect_uri.matching_mode in uaa-release from legacy to exact to align with the upstream UAA secure default.
Background
The UAA server will change its built-in default for uaa.oauth.redirect_uri.allow_unsafe_matching from true to false (see cloudfoundry/uaa#3883). However, uaa-release currently sets uaa.client.redirect_uri.matching_mode to legacy by default, which means deployments via uaa-release continue to use the insecure permissive redirect URI matching behavior.
When matching_mode is legacy, UAA uses the LegacyRedirectResolver, which accepts any subdomain of a registered redirect host as a valid redirect target. Exact URI matching is the correct and safe default.
What is changing
The default value of uaa.client.redirect_uri.matching_mode in the uaa-release job spec is being changed from legacy to exact.
When set to exact, UAA uses strict exact-match redirect URI validation, which is the behavior recommended by the OAuth2 specification (RFC 6749).
Impact on operators
If you have explicitly set uaa.client.redirect_uri.matching_mode: legacy in your BOSH manifest or ops files: No immediate change — your configuration continues to work. You should audit your registered client redirect URIs and migrate to exact matching to use the secure default.
If you have not set this property (relying on the uaa-release default): After this change, UAA will use strict exact-match redirect URI validation. You should audit your registered clients to ensure their redirect URIs are registered as exact URIs (or valid wildcard patterns per the UAA wildcard rules), rather than relying on implicit subdomain matching.
Related
Summary
We are changing the default value of
uaa.client.redirect_uri.matching_modeinuaa-releasefromlegacytoexactto align with the upstream UAA secure default.Background
The UAA server will change its built-in default for
uaa.oauth.redirect_uri.allow_unsafe_matchingfromtruetofalse(see cloudfoundry/uaa#3883). However,uaa-releasecurrently setsuaa.client.redirect_uri.matching_modetolegacyby default, which means deployments viauaa-releasecontinue to use the insecure permissive redirect URI matching behavior.When
matching_modeislegacy, UAA uses theLegacyRedirectResolver, which accepts any subdomain of a registered redirect host as a valid redirect target. Exact URI matching is the correct and safe default.What is changing
The default value of
uaa.client.redirect_uri.matching_modein theuaa-releasejob spec is being changed fromlegacytoexact.When set to
exact, UAA uses strict exact-match redirect URI validation, which is the behavior recommended by the OAuth2 specification (RFC 6749).Impact on operators
If you have explicitly set
uaa.client.redirect_uri.matching_mode: legacyin your BOSH manifest or ops files: No immediate change — your configuration continues to work. You should audit your registered client redirect URIs and migrate to exact matching to use the secure default.If you have not set this property (relying on the
uaa-releasedefault): After this change, UAA will use strict exact-match redirect URI validation. You should audit your registered clients to ensure their redirect URIs are registered as exact URIs (or valid wildcard patterns per the UAA wildcard rules), rather than relying on implicit subdomain matching.Related
uaa.oauth.redirect_uri.allow_unsafe_matchinguaa#3883