From 1e46506888b7d3fdcb100ff7316c72a699841358 Mon Sep 17 00:00:00 2001
From: Peter Sorotokin <sorotokin@gmail.com>
Date: Mon, 18 Nov 2024 11:14:37 -0800
Subject: [PATCH] Fix for DPoP authorization failure when tomcat base url and
 actual base url differ. (#781)

Signed-off-by: Peter Sorotokin <sorotokin@gmail.com>
---
 .../com/android/identity/server/openid4vci/BaseServlet.kt | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/server-openid4vci/src/main/java/com/android/identity/server/openid4vci/BaseServlet.kt b/server-openid4vci/src/main/java/com/android/identity/server/openid4vci/BaseServlet.kt
index 2def04cbc..e3571732d 100644
--- a/server-openid4vci/src/main/java/com/android/identity/server/openid4vci/BaseServlet.kt
+++ b/server-openid4vci/src/main/java/com/android/identity/server/openid4vci/BaseServlet.kt
@@ -135,8 +135,12 @@ abstract class BaseServlet: BaseHttpServlet() {
         if (json["nonce"]?.jsonPrimitive?.content != dpopNonce) {
             throw InvalidRequestException("Stale or invalid DPoP nonce")
         }
-        if (json["htu"]?.jsonPrimitive?.content != req.requestURL.toString()) {
-            throw InvalidRequestException("Incorrect request URI: ${req.requestURL}")
+        val serverUrl = environment.getInterface(Configuration::class)!!.getValue("base_url")
+        // NB: cannot use req.requestURL, as it does not take into account potential frontends.
+        val expectedUrl = "$serverUrl${req.servletPath}"
+        val actualUrl = json["htu"]?.jsonPrimitive?.content
+        if (actualUrl != expectedUrl) {
+            throw InvalidRequestException("Incorrect request URI: $expectedUrl vs $actualUrl")
         }
     }
 }
\ No newline at end of file