Skip to content
This repository has been archived by the owner on Dec 13, 2022. It is now read-only.

Relative RedirectUris #327

Closed
rsnj opened this issue Sep 20, 2016 · 7 comments
Closed

Relative RedirectUris #327

rsnj opened this issue Sep 20, 2016 · 7 comments
Labels

Comments

@rsnj
Copy link

rsnj commented Sep 20, 2016

I have a single Website project which contains IdentityServer (login, etc), a WebAPI, and an Angular2 SPA. In my scenario everything is contained in a single web endpoint and and all requests are being made from/to the same host name.

Would it be possible to allow for relative RedirectUris so that I do not have to include the host name?
https://github.com/IdentityServer/IdentityServer4/blob/master/src/IdentityServer4/Validation/AuthorizeRequestValidator.cs#L135

I'd like to avoid having different configurations for each of my environments in both the SPA and IdentityServer config.

@brockallen
Copy link
Member

Normally we recommend that you separate all of those into separate, independent projects.

As for the validation, I don't see us changing this for a non-recommended use case.

@rsnj
Copy link
Author

rsnj commented Sep 21, 2016

Why is that not a recommended use case? I would think that it is a fairly common use case for a simple SPA web application to host everything together in a single web app. Would there be any security issues with this approach?

@brockallen
Copy link
Member

Lax URL comparison is one of the most common attack vectors and vulnerabilities in OIDC and OAuth2. We deliberately designed around exact URL comparisons to ensure a high level of security. Weakening that is not going to happen.

@rsnj
Copy link
Author

rsnj commented Sep 21, 2016

I see, but shifting this question slightly to your first response. Why is it non-recommended to host IdentityServer in the same app as your API and/or SPA?

@brockallen
Copy link
Member

Well, it's possible, but as you build more clients and more apps, you benefit from SSO more when IdentityServer is on in its own host.

@rsnj
Copy link
Author

rsnj commented Sep 21, 2016

Our plan is to have more external clients such as a mobile app and third party integrations, but we want our base web application and our authentication to exist at www.foo.com. We do not want to shuffle the user around too many hosts. I guess better security is a small price to pay for more config entries.
Really liking IdentityServer4! Thanks for the info!

@rsnj rsnj closed this as completed Sep 21, 2016
@lock
Copy link

lock bot commented Jan 15, 2020

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked as resolved and limited conversation to collaborators Jan 15, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

2 participants