Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to best support dynamic redirect URIs (preview environments) #1487

Open
emiel opened this issue Sep 6, 2024 · 0 comments
Open

How to best support dynamic redirect URIs (preview environments) #1487

emiel opened this issue Sep 6, 2024 · 0 comments
Labels
enhancement

Comments

@emiel
Copy link

emiel commented Sep 6, 2024
edited
Loading

Is your feature request related to a problem? Please describe.

We are developing an application on render.com. This hosting service provides "preview environments". An isolated preview environment is created for every pull request (GitHub) and is accessible using a unique URL for the environment (the PR ID is in the subdomain). Our identity provider (Django OAuth Toolkit) is not part of the preview environment and is hosted elsewhere. To login to the app in the preview environment we need to update the allow redirect URIs on the OAuth application. It then looks something like so:

https://some-other-app/authn/callback
https://some-app-pr-174.onrender.com/authn/callback
https://some-app-pr-175.onrender.com/authn/callback
https://some-app-pr-176.onrender.com/authn/callback
...

These environments come and go so it is tedious to have to continually update the configuration.

Describe the solution you'd like
Currently, request URI is a string with space-separated URIs. If we were to allow a regular expression I could match the URI and allow URLs that match the expression.

I realize that allowing this is prone to error and possibly a foot-gun if someone allowed *.onrender.com. This would allow anyone on render.com to potentially hijack a token. :/

Describe alternatives you've considered

The only alternative I could come up with:

  1. A process that would populate allowed redirect URIs automatically. Each time a preview environment is created or destroyed it would be added/removed from redirect URIs.
  2. A process that creates an OAuth application for each preview environment. Hmmmm

I'm very interested if others have run into something similar and how they have solved it. :)

Additional context
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@emiel