Cannot use query params with OIDC providers with no redirect_uri wildcard support
#3237
Comments
p-kimberley
added a commit
to p-kimberley/stroom
that referenced
this issue
Feb 13, 2023
p-kimberley
added a commit
to p-kimberley/stroom
that referenced
this issue
Feb 13, 2023
stroomdev66
added a commit
that referenced
this issue
Feb 21, 2023
p-kimberley
added a commit
to p-kimberley/stroom
that referenced
this issue
Feb 26, 2023
p-kimberley
added a commit
to p-kimberley/stroom
that referenced
this issue
Mar 10, 2023
p-kimberley
added a commit
to p-kimberley/stroom
that referenced
this issue
Mar 22, 2023
# Conflicts: # stroom-dashboard/stroom-dashboard-client/src/main/java/stroom/dashboard/client/main/DashboardMainPresenter.java
p-kimberley
added a commit
to p-kimberley/stroom
that referenced
this issue
Apr 10, 2023
# Conflicts: # stroom-security/stroom-security-impl/src/main/java/stroom/security/impl/OpenIdManager.java
p-kimberley
added a commit
to p-kimberley/stroom
that referenced
this issue
May 15, 2023
# Conflicts: # stroom-security/stroom-security-impl/src/main/java/stroom/security/impl/UserIdentityFactoryImpl.java
p-kimberley
added a commit
to p-kimberley/stroom
that referenced
this issue
May 26, 2023
p-kimberley
added a commit
to p-kimberley/stroom
that referenced
this issue
Jul 27, 2023
# Conflicts: # stroom-core-client/src/main/java/stroom/core/client/UrlParameters.java
p-kimberley
added a commit
to p-kimberley/stroom
that referenced
this issue
Jul 27, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
According to the OAuth 2.0 spec, redirect URIs must be absolute (i.e. may not be fragments, so no wildcards).
Some providers support wildcards when defining redirect URIs for a particular client, while others do not.
Normally this isn't an issue, where the only URI entered by users in a browser is
https://<stroom uri>/. However where query string parameters are used (like those used to open a dashboard), Stroom includes the entire URI (with the query string) in theredirect_uriparameter. This causes authentication requests against OIDC providers that don't support wildcards, to fail.The general recommendation is for application state to be stored by the client against the unique
stateID passed between the backend and the IDP. Currently this is done and the stored URI is used for the final post-auth redirect and the value ofredirect_uri.A potential fix is to strip the query string from the
redirect_uriparameter sent to the authorisation endpoint. This will ensure that IDPs without wildcard support, will permit the value ofredirect_uri(sans query string).The text was updated successfully, but these errors were encountered: