Allow wildcard for redirect_urls in OAuth2 apps #702
Conversation
TamiTakamiya
force-pushed
the
ttakamiy/AAP-18031/GitHub-Codespaces-Support-PoC
branch
from
bdb380e to
24611cb
Compare
TamiTakamiya
force-pushed
the
ttakamiy/AAP-18031/GitHub-Codespaces-Support-PoC
branch
from
2aaafb6 to
ca88f5e
Compare
TamiTakamiya
force-pushed
the
ttakamiy/AAP-18031/GitHub-Codespaces-Support-PoC
branch
from
ca88f5e to
9be812b
Compare
TamiTakamiya
force-pushed
the
ttakamiy/AAP-18031/GitHub-Codespaces-Support-PoC
branch
2 times, most recently
from
66521d6 to
0eb0c40
Compare
TamiTakamiya
force-pushed
the
ttakamiy/AAP-18031/GitHub-Codespaces-Support-PoC
branch
from
0eb0c40 to
69b52c4
Compare
TamiTakamiya
force-pushed
the
ttakamiy/AAP-18031/GitHub-Codespaces-Support-PoC
branch
from
1f823eb to
8ca575a
Compare
TamiTakamiya
force-pushed
the
ttakamiy/AAP-18031/GitHub-Codespaces-Support-PoC
branch
from
8ca575a to
ee4afee
Compare
TamiTakamiya
force-pushed
the
ttakamiy/AAP-18031/GitHub-Codespaces-Support-PoC
branch
from
ee4afee to
5a413ed
Compare
TamiTakamiya
requested review from
ganeshrn,
gebhardtr,
goneri,
jameswnl and
tomershinhar
| """ | ||
|
|
||
|
|
||
| default_app_config = ( |
There was a problem hiding this comment.
Do we need this? It looks like default_app_config was deprecated and then removed from django.
There was a problem hiding this comment.
You're right. I just copied from the URL in the comment and that's the only reason that I included it here.
I found there was a PR on removing default_app_config from django-oauth-toolkit as well. I will remove that line.
| def _uri_is_allowed(allowed_uri, uri): | ||
| """Check that the URI conforms to these rules.""" | ||
| schemes_match = allowed_uri.scheme == uri.scheme | ||
| netloc_matches_pattern = re.fullmatch(allowed_uri.netloc, uri.netloc) |
There was a problem hiding this comment.
While I know we discussed that we would be very careful with our regexs that we specify in our applications, should we also consider enforcing e.g. that the top level domain is an exact match, and only the subdomain can have a wildcard? I came across this wildcard_redirect support in okta that takes this approach and seems to help limit the risk: https://developer.okta.com/docs/reference/api/apps/#details
There was a problem hiding this comment.
The current implementation accepts general expressions, but if we put limitations like Okta's implementation, we should just support "wildcard" ('*') even though we will use regex in internal processing. I will re-design this part in that way.
There was a problem hiding this comment.
I have implemented a new design in the latest commit:
- Instead of accepting a given string for allowed URI as a regex pattern, allow only wildcards (asterisk
*) in a redirect URI - A wildcard matches any (0 or more) characters except for slashes (
/). - In a netloc part, wildcards should appear only in the subdomain, not in the root domain.
- Matching with wildcards is not performed against IP addresses. For example, even if an allowed URI is set to
http://*.*.0.1:8080/callback,http://123.123.0.1:8080/callbackdoes not match to it.
| } | ||
|
|
||
| # | ||
| # We need to run 'manage.py migrate' before adding our own OAuth2 application model. |
There was a problem hiding this comment.
Should we be seeing a migration file in this PR for this new application? Assuming yes, I'm not entirely clear on the order of operations for getting everything set up correctly.
There was a problem hiding this comment.
No, we will not have a new migration file with this PR. The new "wildcard" OAuth app will swap the default app as it is defined as "swappable" and the same db table will be used as the default one,
|
@robinbobbitt I have addressed to your comments in the latest commit. Would you take a look? Thank you! |
|
For anybody else testing this PR, Jeff's test script here is handy: #84 (comment) |
There was a problem hiding this comment.
Thanks @TamiTakamiya ! This looks great. I tested with valid and invalid redirect uris in the Application configuration and in the authorize flow and all looks good.
TamiTakamiya
deleted the
ttakamiy/AAP-18031/GitHub-Codespaces-Support-PoC
branch
2 participants
For AAP-18031