Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

redirect behavior change between v1.8.5 and v1.9.x #2363

Closed
simpleway opened this issue Feb 17, 2021 · 3 comments · Fixed by #2457
Closed

redirect behavior change between v1.8.5 and v1.9.x #2363

simpleway opened this issue Feb 17, 2021 · 3 comments · Fixed by #2457

Comments

@simpleway
Copy link
Contributor

Describe the bug
The /oauth2/auth changed redirect behavior between v1.8.5 and v1.9.x. If the URLS_LOGIN is an angular UI app that contains /#/ e.g. http://localhost:3000/#/oauth/login
In v1.8.5, /oauth/auth endpoint redirects to "http://localhost:3000/?login_challenge=48ef86fa7f8142099aacbd172628f708#/oauth/login"
However, in v1.9.2 /oauth/auth endpoint redirects to "http://localhost:3000/%23/oauth/login?login_challenge=48ef86fa7f8142099aacbd172628f708"

Reproducing the bug

Steps to reproduce the behavior:

  1. start local hydra server
#!/bin/sh
 
export URLS_LOGIN=http://localhost:3000/#/oauth/login
export URLS_CONSENT=http://localhost:3000/#/oauth/consent
export DSN=memory
export OIDC_SUBJECT_IDENTIFIERS_SUPPORTED_TYPES=public
export SERVE_COOKIES_SAME_SITE_MODE=Lax
export OAUTH2_EXPOSE_INTERNAL_ERRORS=true
export LOG_LEAK_SENSITIVE_VALUES=true
export LOG_LEVEL=debug
 
echo "Starting Hydra ..."
hydra serve all --dangerous-force-http
  1. Create a client with
curl -L -X POST 'http://localhost:4445/clients' \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
--data-raw '{
    "client_id": "demo",
    "client_secret": "password",
    "redirect_uris": [
        "http://localhost:8080/callback",
        "https://oauth.pstmn.io/v1/callback"
    ],
    "grant_types": [
        "authorization_code"
    ]
 }'
  1. Initiate authorization code flow with
curl -L -X GET 'http://localhost:4444/oauth2/auth?response_type=code&state=123456&client_id=demo&redirect_uri=https%3A%2F%2Foauth.pstmn.io%2Fv1%2Fcallback'

The response header "Location" value is http://localhost:3000/%23/oauth/login?login_challenge=48ef86fa7f8142099aacbd172628f708

Server logs

No error

Server configuration

None

Expected behavior

Expect the redirect behavior remains compatible to v1.8.5 http://localhost:3000/?login_challenge=48ef86fa7f8142099aacbd172628f708#/oauth/login. So the angular login UI can remain functional after upgrade post v1.8.5.

Environment

  • Version: v1.9.2
    Git Hash: f0580e2
    Build Time: 2021-01-29T15:02:55Z
  • Environment: Debian, Windows
@aeneasr
Copy link
Member

aeneasr commented Feb 17, 2021

Thank you for the report - how are you communicating with hydra's login and consent endpoints? Through the Angular AJAX?

@simpleway
Copy link
Contributor Author

Angular UI will do some processing, and pass the login_challenge to backend service. The backend service will call hydra login and consent endpoints.

@aeneasr
Copy link
Member

aeneasr commented Feb 17, 2021

Ok good :) Just wanted to make sure!

The problem is probably how we construct the query. In the past, we just appended the query. Now we parse the URL and use RawQuery to construct it properly. I think the error comes from there as the url and query parser does not respect the hashbang URLs.

Generally, we don't want to be too favorable to SPAs due to the risk of people using AJAX to communicate with Ory Hydra admin. However, I do understand that this sucks for specific use cases where this is wanted.

I would be fine with fixing this behavior to resolve your issue. Would you be up for a PR?

simpleway added a commit to simpleway/hydra that referenced this issue Apr 10, 2021
@simpleway
fix: login and consent redirect behavior change since 1.9.x
ca2b2be 
allow #fragment in configured url to keep backwards compatibility. Close ory#2363
@simpleway simpleway mentioned this issue Apr 10, 2021
Merged
2 tasks
aeneasr added a commit that referenced this issue Apr 27, 2021
@simpleway @aeneasr
fix: login and consent redirect behavior change since 1.9.x (#2457)
2f3a1af 
Allow #fragment in configured url to keep backwards compatibility.

Close #2363

Co-authored-by: hackerman <3372410+aeneasr@users.noreply.github.com>
mitar pushed a commit to mitar/hydra that referenced this issue May 13, 2021
@simpleway @aeneasr @mitar
fix: login and consent redirect behavior change since 1.9.x (ory#2457)
3e3efbd 
Allow #fragment in configured url to keep backwards compatibility.

Close ory#2363

Co-authored-by: hackerman <3372410+aeneasr@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: login and consent redirect behavior change since 1.9.x simpleway/hydra
2 participants
@aeneasr @simpleway