New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ELY-2242] Changed OidcRequestAuthenticator.rewrittenRedirectUri to … #1615
Conversation
…ehave consistently when a redirect rewrite rule is specified vs when none is. Exposed redirect rewrite rules when OidcClientConfiguration is delegated by OidcClientContext.
Hello, mouseas. I'm waiting for one of the admins to verify this patch with /ok-to-test in a comment. |
Found a bit more about this in the spec for OAuth 2.0: Original OAuth 2.0 spec: https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2.2 Update for threat model and security considerations: https://www.rfc-editor.org/rfc/rfc6819#section-5.2.3.3 The original spec allowed for query strings to be dynamic in redirect urls, but the update no longer allows them because they create potential security vulnerabilities. From this I would conclude that the query string is meant to be removed entirely. If that's the case, it makes |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @mouseas!
Feel free to create an ELY issue for this and we'll take a closer look. Thanks! |
What issue type? |
Feel free to use Task and then we'll investigate further. Thanks. |
@mouseas Thanks! |
[ELY-2242] Changed OidcRequestAuthenticator.rewrittenRedirectUri to behave consistently when a redirect rewrite rule is specified vs when none is. Exposed redirect rewrite rules when OidcClientConfiguration is delegated by OidcClientContext.
https://issues.redhat.com/browse/ELY-2242