You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have a mis-configured github provider being used from gothic. If I misconfigure my callback, so that it does not match what is configured in github, the requests to my callback handler look like this:
GET /v1/auth/github/callback?error=redirect_uri_mismatch&error_description=The+redirect_uri+MUST+match+the+registered+callback+URL+for+this+application.&error_uri=https%3A%2F%2Fdeveloper.github.com%2Fv3%2Foauth%2F%23redirect-uri-mismatch&state=41790af3-2ac4-4223-96e6-6e8d38621b1e HTTP/1.1
When I issue gothic.CompleteUserAuth(), it returns no errors, and a user object of {map[message:Bad credentials documentation_url:https://developer.github.com/v3] github 0 0001-01-01 00:00:00 +0000 UTC}
I feel like situations like this should cause a failure, since otherwise, it means anyone who hits the callback with the correct state parameter is be authenticated, whether the provider thinks they should have been or not.
Where should this get fixed? The provider code for github (and possibly others)? gothic? Is this an underlying issue with oauth2.Extract()?
In the mean time, I've worked around this by requiring the 'code' param to be set in the callback before passing on to gothic.
The text was updated successfully, but these errors were encountered:
I have a mis-configured github provider being used from gothic. If I misconfigure my callback, so that it does not match what is configured in github, the requests to my callback handler look like this:
When I issue
gothic.CompleteUserAuth()
, it returns no errors, and a user object of{map[message:Bad credentials documentation_url:https://developer.github.com/v3] github 0 0001-01-01 00:00:00 +0000 UTC}
I feel like situations like this should cause a failure, since otherwise, it means anyone who hits the callback with the correct state parameter is be authenticated, whether the provider thinks they should have been or not.
Where should this get fixed? The provider code for github (and possibly others)? gothic? Is this an underlying issue with oauth2.Extract()?
In the mean time, I've worked around this by requiring the 'code' param to be set in the callback before passing on to gothic.
The text was updated successfully, but these errors were encountered: