Wildcard for authorized origin URLs gives invalid origin error

[beezerk23]

##Wildcard for authorized origin URLs gives invalid origin error

Description

I think the latest update may have broke something regarding the wildcard for authorized origin urls. When i have https://*.example.com in my authorized origin urls, a request from https://foo.example.com produces this:
Invalid origin uri https://foo.example.com/

I know that there is a trailing slash in the origin uri but i think this should not affect this.

However if i add the full domain to the authorized origin urls it will work and does not produce any error.

Affects versions

1.45.1

Steps to reproduce

Should be clear from the description.

Expected behavior

That the wildcard works as expected.

Related

• OAuth app options to allow any redirect URI #425
• Allow dynamic redirect URI for OAuth  #437
• post_logout_redirect_uri does not work with wildcard specified url #2164
• Validate post_logout_redirect_uri against wildcards #2166
• OAuth2 Origin validation with wildcards #2185

[robotdan]

Internal:

• https://github.com/FusionAuth/fusionauth-app/pull/238

[robotdan]

Thanks for letting us know @beezerk23 - this is most likely occuring on a GET request to FusionAuth. In this case we fall back to the Referer header if the Origin is not present.

When using wild cards we take the entire value for matching, so we need to remove any path or query parameters from this value before validating.

[beezerk23]

Hey @robotdan, can you give me any inside on when this is going to be released?

[robotdan]

Sorry for the delay, this is available in an early build, now, and the full release is coming today or tomorrow.

[robotdan]

@beezerk23 thanks for your patience. Fix is available in 14.6.0.