Add anchors to valid chars in a redirect_uri #469
Conversation
requirements.txt
Outdated
| @@ -1,3 +1,7 @@ | |||
| pyjwt==1.0.0 | |||
| blinker==1.3 | |||
| cryptography>=0.8.1 | |||
| contextlib2==0.5.4 | |||
There was a problem hiding this comment.
Why are the requirements expanding as a result of this?
There was a problem hiding this comment.
I ran the test suite and it was failing because these guys were missing
requirements.txt
Outdated
| @@ -1,3 +1,7 @@ | |||
| pyjwt==1.0.0 | |||
| blinker==1.3 | |||
| cryptography>=0.8.1 | |||
| contextlib2==0.5.4 | |||
| testscenarios==0.5.0 | |||
| mock==2.0.0 | |||
There was a problem hiding this comment.
IMHO, requirements that are only needed for tests should go in a separate test_requirements.txt file, not part of the main requirements.txt
There was a problem hiding this comment.
ahh didn't see the test_requirements. totally. fixing.
tests/oauth2/rfc6749/test_utils.py
Outdated
| @@ -108,3 +109,19 @@ def test_scope_to_list(self): | |||
|
|
|||
|
|
|||
|
|
|||
| class TestUrlValidation(TestCase): | |||
| def test_basic_urls(self): | |||
There was a problem hiding this comment.
Can this be parameterized to be several different test cases, rather than one test that makes multiple assertions?
There was a problem hiding this comment.
totally. there were zero tests so I wasn't sure what strategy you guys would prefer, so I went with the laziest one. I'll split these guys up.
what we should do is get some kind of better list of good/bad urls and have them iterated on.
This reverts commit b169725.
|
What's accepted by The problem that you're running into is that the fragment is not formally defined as a part of the absolute URI, This should not normally be a problem, since the But oauthlib is actually doing it correctly, since there is a note in RFC 6749, Section 3.1.2 which defines acceptable redirection endpoints, which explicitly says
And later
So, there is an inconsistency within the specification, and oauthlib opted to lean on the safer side. After looking through the errata, I don't believe it's been reported. |
|
You might check out this document, "The correct use of the state parameter in OAuth 2" by one of the authors of the RFC. It suggests encoding extra parameters your application needs into the |
|
@bjmc I feel like it's wrong to use the @kevin-brown your comments make sense. but the long and the short of it is that angular uses these fragments for routing. as far as some more modern frameworks are concerned, routing requests via fragments is acceptable. which means that if I use oauthlib in my authentication server, people who use angular can't authenticate it. so the question becomes, do we want this to be strictly adhering or do we allow a superset of functionality? |
|
@orenmazor It's not an either-or question. You can use I don't know very much about Angular, but it seems like it can be configured to work with URLs without a fragment identifier? |
I can't speak for the project owners, but I will just leave the description here.
|
|
@bjmc ah thats true. I kind of always wanted to keep I don't know much about angular either, but as far as it's concerned, those are valid urls. I don't know that I can dictate to people who integrate with us how they should structure their routing, to be honest (tho I'd definitely like to) |
|
I obviously don't know the specifics of your situation with your users, but I think you'd be on pretty firm ground to say "The RFC says it has to be this way..." FWIW, it seems like the practice in Angular-land is to have one page that's just responsible for handling OAuth2 callbacks, and then that will redirect back into the main application. That client-side redirect could be driven off something encoded in the There may even be library support so the app devs don't have to implement this all themselves. |
|
@bjmc totally. the only problem with that link is that its for implicit grants, which isn't what we're doing here :( the only other solution than updating the regex to allow more complex urls is to rely on the default redirect uri feature in oauthlib. the downside to this is that I'm then taking away their ability to have multiple possible redirect uris. tbh the regex solution smells the rightest, as the likelyhood of fragment urls going away anytime soon is basically 0. but if you guys are a strong no on this then I'll need to solve the problem some other way. |
|
What are they wanting to do in Angular that isn't the implicit grant? A public Javascript client can't protect its Modifying |
thats a great point actually. I assumed they're just piping the request to a backend, but if thats the case then maybe the backend can be reached directly. |
|
I agree with @bjmc I don't think this PR should be accepted. I'd rather stick to the spec as best as I can in order to avoid security issues and/or compatibility issues with other clients. |
|
👍 cool beans
…On Fri, Mar 31, 2017 at 4:59 AM Omer Katz ***@***.***> wrote:
Closed #469 <#469>.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#469 (comment)>, or mute the
thread
<https://github.com/notifications/unsubscribe-auth/AAXdF8P3MhuTmX4Zf_agSYm5Ws10esYLks5rrMBzgaJpZM4MtSN3>
.
|
@thedrow @bjmc Hey guys, looks like there are some problems validating redirect_uris that have anchors in unexpected places (eg angular uris).
I extended the regex and added a really basic test.
thoughts?