Add redirectUri to url regex for OAuth2 #396
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Keycloak, an OAuth2/OpenId Connect authentication server, has multiple pages it redirects to during the login process for the user. One such internal url it uses has `code=` as part of the url. This causes the window to close prematurely and attempt to get an access token. However, the code is wrong because it is only an intermediaery step for Keycloak. This fix will add the redirectUri to the regex. Insomnia will only attempt to fetch the token AFTER keycloak has finished it's full login flow and has redirected back to the redirectUri.
|
Why is appveyor failing? :-( |
|
Hmm, "AppVeyor was unable to build non-mergeable pull request" Seems like a one-off error. |
gschier
suggested changes
Aug 3, 2017
There was a problem hiding this comment.
Great job on finding that bug @starJammer. Just one comment for ya 👍
Also, don't worry about the CI failing. Seems like a one-off problem.
| @@ -57,8 +57,9 @@ async function _authorize (url, clientId, redirectUri = '', scope = '', state = | |||
| // Add query params to URL | |||
| const qs = querystring.buildFromParams(params); | |||
| const finalUrl = querystring.joinUrl(url, qs); | |||
| const regex = redirectUri ? new RegExp(redirectUri + '.*(code=|error=).*') : /(code=|error=)/; | |||
There was a problem hiding this comment.
Two things here. redirectUri must first be escaped before being included in the regex constructor. Also, no need to check for redirectUri because if it's an empty string, you still get the correct regex.
Something like this should do the trick.
const escapedUri = redirectUri.replace(/[-[\]/{}()*+?.\\^$|]/g, '\\$&');
const regex = new RegExp(`${escapedUri}.*(code=|error=)`)There was a problem hiding this comment.
Thanks for the improvement @gschier !!
gschier
approved these changes
Aug 3, 2017
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What
Made a change to how the regex used to detect the
finalUrlduring the OAuth2 flow.Why
Keycloak is an an OAuth2/OpenId Connect authentication provider. As part of Keycloak's authentication flow it loads several pages in order to prompt the user for different pieces of information. One of these pages is an internal keycloak page with a
code=12341234at the end of the url.This triggers the regex and Insomnia will extract this invalid code and attempt to get a token. The access token request fails because the code is internal to keycloak and isn't actually an authorization code.
This PR will add the redirect uri, if present, to the regex so that it will only trigger if the url loaded in the window begins with the redirect uri.
Details
Not sure if RegEx is commonly available. Don't normally contribute to node/js based projects.
Notes
Not sure how to add tests regarding this.
Related Issue: (Issue number this PR references, for example #4)