Allow RedirectURI to have a custom behaviour #55
Conversation
|
Thanks for the PR, looks good, but I would strongly advice against permitting wildcard URL’s, as it’s in general not safe: https://security.stackexchange.com/questions/180505/why-is-a-wildcard-subdomain-callback-url-in-oauth-considered-unsafe The best approach is if you can somehow automatically update the redirect uris for the app(s) each time you spin up a new subdomain app. The PR is good as it is, but I’ll have to read up on the rfc specs to check what has to be hard requirements. I prefer that even what developers customize has to adhere to the specs as much as possible, and that may mean that the RedirectURI macro should be rewritten a bit to ensure that. |
|
I understand the security concerns. This is only intended for test environments and the overridden version also ensures that wildcards are only allowed on a specific domain that we own. Providing an API to add and remove redirect URI's to an application also introduces a potential security vulnerability. It's also a larger attack vector, because if an attacker can take advantage of this, they can add any domain or cause a denial of service. The only part of the interface I'm interested in modifying is |
If you're using ex_oauth2_provider/lib/ex_oauth2_provider/config.ex Lines 110 to 116 in d602d8e So these things can only be overridden if it's not production environment.
Yeah, limiting the scope of what can be changed would be great. In regards to automatically updating the URI list, I was thinking of just a release task that updates the relevant app(s) with an ecto query. No idea how your actual setup is so this may not be a good idea in your case 😄 I read up on the specs, and here's the relevant sections in the RFC: https://tools.ietf.org/html/rfc6749#section-3.1.2 The URI must be absolute, wildcard is against the specs. This PR doesn't make ExOauth2Provider less secure by default, but there may be a way to make it clearer that specs may be broken by overriding this module/methods and that it's not meant for public facing API's. Let me try a few things and see what makes sense to do here. |
danschultzer
force-pushed
the
allow-custom-redirect-uri
branch
from
acc0063
to
0295f2c
Compare
|
I've pushed a commit that limits the scope of this greatly. I found out that wildcard domains are valid in the current release of All you need to change is the I love the macro setup you had, but I think this is the better way for now since this way all the current validations are kept in place (fragments, https, etc) and it's not necessary to customize anything else than the matching. The tests I have added also makes sure that if/when I redo validations, I'll keep in mind that wildcard domains in current releases are valid. Wdyt? Will this work for you? |
|
Yea, this works for me. I can do the part I intended to do in the validation in the match. Thanks |
|
I'll release a new version ASAP. |
|
|
At the company I work at, we spin up custom environments for each branch. This change would allow us to define a version of RedirectURI that allows wildcards so that we don't need to define a redirect_uri everytime we spin up an environment with a different subdomain.