Add validation to Back to Application URL

JayaShakthi97 · JayaShakthi97 · commit ada30aaeec06 · 2025-09-24T10:54:15.000+05:30
diff --git a/identity-apps-core/apps/recovery-portal/src/main/webapp/username-recovery-complete.jsp b/identity-apps-core/apps/recovery-portal/src/main/webapp/username-recovery-complete.jsp
@@ -23,6 +23,9 @@
 <%@ page import="org.wso2.carbon.identity.application.authentication.endpoint.util.AuthenticationEndpointUtil" %>
 <%@ page import="org.wso2.carbon.identity.mgt.endpoint.util.client.IdentityRecoveryException" %>
 <%@ page import="org.wso2.carbon.identity.mgt.endpoint.util.IdentityManagementEndpointUtil" %>
+<%@ page import="org.wso2.carbon.identity.mgt.endpoint.util.client.PreferenceRetrievalClient" %>
+<%@ page import="org.wso2.carbon.identity.mgt.endpoint.util.client.PreferenceRetrievalClientException" %>
+<%@ page import="org.wso2.carbon.identity.mgt.endpoint.util.client.ApplicationDataRetrievalClient" %>
 <%@ page import="java.io.File" %>
 <%@ page import="java.net.URISyntaxException" %>
 <%@ taglib prefix="layout" uri="org.wso2.identity.apps.taglibs.layout.controller" %>
@@ -57,6 +60,28 @@
         successMessageTitle = "username.recovery.sms.success.heading";
         successMessageDescrition = "username.recovery.sms.success.body";
     }
+
+    boolean isValidCallBackURL = true;
+
+    try {
+        isValidCallBackURL = AuthenticationEndpointUtil.isSchemeSafeURL(callback);
+
+        if (isValidCallBackURL && StringUtils.isNotBlank(callback)) {
+            ApplicationDataRetrievalClient applicationDataRetrievalClient = new ApplicationDataRetrievalClient();
+            String applicationAccessUrl = applicationDataRetrievalClient.getApplicationAccessURL(tenantDomain, spAppName);
+
+            if (StringUtils.isNotBlank(applicationAccessUrl)) {
+                // If the application access URL is present, only then allow the callback to be that URL.
+                isValidCallBackURL = StringUtils.equals(callback, applicationAccessUrl);
+            } else {
+                // If the application access URL is not present, callback should be a valid multi option URL.
+                String encodedCallback = IdentityManagementEndpointUtil.getURLEncodedCallback(callback);
+                isValidCallBackURL = AuthenticationEndpointUtil.isValidMultiOptionURI(encodedCallback);
+            }
+        }
+    } catch (Exception e) {
+        isValidCallBackURL = false;
+    }
 %>
 
 <% request.setAttribute("pageName", "username-recovery-complete"); %>
@@ -101,7 +126,7 @@
                     <%=i18n(recoveryResourceBundle, customText, successMessageDescrition)%>
                     <br><br>
                     <%
-                        if(StringUtils.isNotBlank(callback) && AuthenticationEndpointUtil.isSchemeSafeURL(callback)) {
+                        if (StringUtils.isNotBlank(callback) && isValidCallBackURL) {
                     %>
                         <br/><br/>
                         <i class="caret left icon primary"></i>
