Replies: 7 comments 9 replies
-
One use case for this is to have multiple environments where the application is deployed but only one single OAuth2 client, e.g. a production, staging, and dev environment:
|
Beta Was this translation helpful? Give feedback.
-
This use-case is exactly why I don't want to allow multiple origins. You should never mix production staging and dev credentials and application domains. This would allow a dev access token to be usable against a production resource server. So compromise of dev becomes compromise of production. At the moment by forcing single origin, we force you to have separate security domains between each client, preventing users from making the security mistake in the first place. |
Beta Was this translation helpful? Give feedback.
-
I agree I think that's a very compelling reason to not have such a capability. Truthfully I can't think of another use case myself -- I don't personally have a need for this feature. I was searching around for potential use cases based on the fact that Keycloak supports this but the reasoning I provided was the only one I could find. |
Beta Was this translation helpful? Give feedback.
-
Yeah. The previous usecase that almost all requests were related too was to have public clients with localhost redirects - we've solved that now in a more secure, and simpler manner. |
Beta Was this translation helpful? Give feedback.
-
I'm really not sure how this is intended to work, but would multiple URLs/URIs be required for e.g. astubenbord/paperless-mobile#374 (using a |
Beta Was this translation helpful? Give feedback.
-
That could be a valid use case, but we'd need to see how it worked in general (ie, can it be tested with an RS dedicated to that URL?) .. though most likely the auth will be against the server's URL, which the app can request a token for using that URL. |
Beta Was this translation helpful? Give feedback.
-
For example I'm setting up Immich and it requires three URIs:
Source: https://immich.app/docs/administration/oauth#prerequisites |
Beta Was this translation helpful? Give feedback.
-
We have had a number of past issues asking for multiple url support in oauth2. So far almost all of these requests have been about allowing an RP to have a https://example.com name while also allowing redirects to http://localhost.
However, there may be a case where someone wants to allow multiple names such as https://au.example.com and https://nz.example.com.
We need to understand why someone may want multiple URLs like this. From our app portal page, we can only nominate a single outbound link, which may constrain possible deployment options when multiple urls are involved.
This issue is intended to serve as a discussion about multiple public urls only. We need to know how or why someone may deploy these so that we can properly implement a design to facilitate this.
Beta Was this translation helpful? Give feedback.
All reactions