-
Notifications
You must be signed in to change notification settings - Fork 4k
Relative RedirectUris #327
Comments
Normally we recommend that you separate all of those into separate, independent projects. As for the validation, I don't see us changing this for a non-recommended use case. |
Why is that not a recommended use case? I would think that it is a fairly common use case for a simple SPA web application to host everything together in a single web app. Would there be any security issues with this approach? |
Lax URL comparison is one of the most common attack vectors and vulnerabilities in OIDC and OAuth2. We deliberately designed around exact URL comparisons to ensure a high level of security. Weakening that is not going to happen. |
I see, but shifting this question slightly to your first response. Why is it non-recommended to host IdentityServer in the same app as your API and/or SPA? |
Well, it's possible, but as you build more clients and more apps, you benefit from SSO more when IdentityServer is on in its own host. |
Our plan is to have more external clients such as a mobile app and third party integrations, but we want our base web application and our authentication to exist at www.foo.com. We do not want to shuffle the user around too many hosts. I guess better security is a small price to pay for more config entries. |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
I have a single Website project which contains IdentityServer (login, etc), a WebAPI, and an Angular2 SPA. In my scenario everything is contained in a single web endpoint and and all requests are being made from/to the same host name.
Would it be possible to allow for relative RedirectUris so that I do not have to include the host name?
https://github.com/IdentityServer/IdentityServer4/blob/master/src/IdentityServer4/Validation/AuthorizeRequestValidator.cs#L135
I'd like to avoid having different configurations for each of my environments in both the SPA and IdentityServer config.
The text was updated successfully, but these errors were encountered: