-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issues with IgnoreLocalPortUrl
#175
Comments
This is in reference to the section here: oxide-auth/oxide-auth/src/primitives/registrar.rs Lines 786 to 800 in 303e85d
The issue is that the argument is never utilized as the return value. This is a bug introduced with the logic having been designed around the older RFCs first. A cleaner fix might add this behavior to
I also agree that the name in the attribute is confusing with that usage. A breaking change would simply carry both pieces of information into the returned object, the registered one as RegisteredUrl and the permitted redirect uri as an |
Coincidentally the fix to this logic might also unblock the addition of wildcard registrations. |
I just ran into the same issue. Is this already fixed? If not, what would it take to get it done? |
The main effort should be expanding the test suite such that the new match is considered. The fix proposed seems already promising and implementable as is, changing the line (
The block assigning |
Thanks to your pointer it seemed quite easy. I hope PR #190 is what you had in mind. |
Bug report
We try to use oxide-auth to test some OAuth clients in tests. During that, we encountered some issues regarding the usefulness of the current implementation of
IgnoreLocalPortUrl
.localhost vs. 127.0.0.1
https://www.rfc-editor.org/rfc/rfc8252.html#section-7.3 and https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-23#section-4.1.3 call out to also support 127.0.0.1 for the special case of ignoring the port when validating the client-passed redirect_uri. As 127.0.0.1 (and probably the IPv6 localhost address) is considered to be safer as the hostname, I would expect that
IgnoreLocalPortUrl
also takes the loopback addresses.Completing a flow
It does not seem to be possible to complete a authorization code flow.
During
/authorization
, the redirect is generated by:redirect_uri
of thePreGrant
.PreGrant
(for ClientMap) gets theredirect_uri
fromBoundClient
(primitives/registrar.rs#negotiate
)BoundClient
(for ClientMap) gets theredirect_uri
from the registered client (primitives/registrar.rs#bound_redirect
)This results in a browser being redirected to the wrong location.
Reproduction
Relevant environment (http frontend library, OS, network setup?)
Steps to reproduce the behavior:
Expected behaviour
According to rfc8252, the redirect should happen based on the requests'
redirect_uri
.One simple fix would be to change
bound_redirect
in registrar.rs to assign the following toregistered_url
While this fixes the underlying issue, I am not sure of the consequences of this change. Having
RegisteredUrl
inPreGrant
conveys, semantically by the type, that the content is the URL that is registered with theClient
, but the field name and usage of the field suggests otherwise.Tracking pull request
The text was updated successfully, but these errors were encountered: