Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

URI in RedirectURI isn't accepted #161

Closed
AliveDevil opened this issue Oct 2, 2024 · 3 comments · Fixed by #167
Closed

URI in RedirectURI isn't accepted #161

AliveDevil opened this issue Oct 2, 2024 · 3 comments · Fixed by #167
Assignees
@longsleep
Labels
bug Something isn't working

Comments

@AliveDevil
Copy link

When configuring the OAuth component with a redirect URI, instead of a redirect URL, the authentication fails with invalid or missing redirect_uri, which in the context of a redirect URI - instead of a redirect URL - is wrong.

As the name suggests, one can use redirect URIs (i.e. protocol:action), which is just as valid as a redirect URL with protocol://authority.

Been redirected here from ownCloud/ocis, as it is used in the Embedded Identity Provider there.
Checking https://github.com/libregraph/lico/blob/master/oidc/payload/authentication.go#L335-L337, leads to the main culprit: As a URL is a URI, you only need to check for RedirectURI and Protocol being set. The host-component is part of a URL, which not every URI has.
When enforcing redirect URIs to be URLs all other forms of URIs are excluded (i.e. urn:, x-custom-protocol:action, etc.).

Also: owncloud/ocis#10159
@longsleep longsleep self-assigned this Nov 13, 2024
@longsleep longsleep added the bug Something isn't working label Nov 13, 2024
@longsleep
Copy link
Collaborator

I guess we can improve this check and only fail if both Host and Scheme are empty.

https://play.golang.com/p/uL442LPu4cx

@AliveDevil
Copy link
Author

I'd even go as far as just checking IsAbs().

@longsleep
Copy link
Collaborator

Good suggestion thanks 👍

longsleep added a commit to longsleep-io/lico that referenced this issue Nov 13, 2024
@longsleep
Allow client redirect URI with only a scheme
ea3dfaa 
The redirect URI can have the form `protocol:action` which is basically
just a scheme. This is entirely valid and since such URI do not have a
host the validation of the redirect_uri request parameter fails.

This change does no longer check the host part of the URI to be
non-empty, fixing client support for clients using such URIs.

Fixes: libregraph#161
@longsleep longsleep mentioned this issue Nov 13, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@longsleep longsleep

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow client redirect URI with only a scheme longsleep-io/lico
2 participants
@AliveDevil @longsleep