Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use 127.0.0.1 redirect over localhost for GitHub #1286

Merged
merged 1 commit into from Jun 12, 2023
Merged

Use 127.0.0.1 redirect over localhost for GitHub #1286

merged 1 commit into from Jun 12, 2023

Conversation

mjcheetham
Copy link
Collaborator

@mjcheetham mjcheetham commented Jun 8, 2023
edited

Use an IPv4 loopback redirect URL instead of the localhost name. This is in accordance with the recommendation in the OAuth spec12 and also GitHub's documentation3.

Note that this change depends on an update to the Git Credential Manager OAuth application on GitHub to add the "http://127.0.0.1/" redirect (with a trailing slash!). We will be strictly adding the new URL, and keep the older localhost-based redirect URL untouched for older clients.

The change to the OAuth app registration can occur before this is merged.

Fixes #594

Footnotes

  1. https://datatracker.ietf.org/doc/html/rfc8252#section-7.3

  2. https://datatracker.ietf.org/doc/html/rfc8252#section-8.3

  3. https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#loopback-redirect-urls

@mjcheetham
github: use 127.0.0.1 redirect over localhost
88b6ebe 
Use an IPv4 loopback redirect URL instead of the `localhost` name. This
is in accordance with the recommendation in the OAuth spec[1] and also
GitHub's documentation[2].

Note that this change depends on an update to the Git Credential Manager
OAuth application on GitHub to add the "http://127.0.0.1/" redirect (with
a trailing slash!). We will be strictly adding the new URL, and keep the
older localhost-based redirect URL untouched for older clients.

[1] https://datatracker.ietf.org/doc/html/rfc8252#section-7.3
[2] https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#loopback-redirect-urls
@mjcheetham mjcheetham added host:github Specific to the GitHub host provider auth:oauth Specific to OAuth2 authentication labels Jun 8, 2023
ldennington
ldennington approved these changes Jun 8, 2023
View reviewed changes
Copy link
Contributor

@ldennington ldennington left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excellent supporting documentation.

@mjcheetham mjcheetham merged commit f6b0259 into git-ecosystem:main Jun 12, 2023
6 checks passed
@mjcheetham mjcheetham deleted the gh-loopback branch June 12, 2023 21:58
@mjcheetham mjcheetham mentioned this pull request Jun 26, 2023
Merged
mjcheetham added a commit that referenced this pull request Jun 26, 2023
@mjcheetham
Release v2.2.0 (#1306)
de28bd9 
**Changes:**

- Use in-proc methods for getting OS version number (#1240, #1264)
- Update System.CommandLine (#1265)
- Suppress GUI from command-line argument (#1267)
- Add github (login|logout|list) commands (#1267)
- cURL Cookie file support (#1251)
- Update target framework on Mac/Linux to .NET 7 (#1274, #1282)
- Replace JSON.NET with System.Text.Json (#1274)
- Preserve exact redirect URI formatting in OAuth requests (#1281)
- Use IP localhost redirect for GitHub (#1286)
- Use WWW-Authenticate headers from Git for Azure Repos authority
(#1288)
- Better GitHub Enterprise Managed User (EMU) account support (#1190)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ldennington ldennington ldennington approved these changes

Assignees
No one assigned
Labels
auth:oauth Specific to OAuth2 authentication host:github Specific to the GitHub host provider
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Change redirect URI from localhost to 127.0.0.1
2 participants
@mjcheetham @ldennington