-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Better support for native apps #1238
Better support for native apps #1238
Conversation
You can run |
I think a simple |
Sorry was just making sure these changes actually work against my app. They do seem to work. |
Alright, how do we feel about what we see here now? Any more feedback or desires? |
I will double check this today evening, thanks for the work so far! |
@felipeelias Ok. How we do we feel about this current state? I think this does everything we want? |
@montdidier thanks for the follow up, indeed looks exactly like we spoke. One question though: why the logic between registration and code validation now differs? I mean, I was expecting this validation to be the same on both registration and authorization code flow. Am I missing something? One problem I see with the above is: I tested your branch against the provider app and I was able to register with the non-scheme uris, but then, as I attempt the authorization, I receive the error page saying I believe that can be confusing for users, what do you think? |
@felipeelias I must have missed something. I'll try to fix it. What was the URI you tried to use? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See comments please
@@ -28,8 +28,8 @@ | |||
config_is_set(:token_secret_strategy, ::Doorkeeper::SecretStoring::Sha256Hash) | |||
end | |||
|
|||
scenario "Authorization Code Flow with hashing" do | |||
@client.redirect_uri = Doorkeeper.configuration.native_redirect_uri | |||
def authorize(redirect_url) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we removed scenario "Authorization Code Flow with hashing
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't really remove the scenario per se, more added two variants and changed the name(s), testing oob
and oob:auto
. Since these scenarios happen within the feature 'Authorization Code Flow' and context 'with grant hashing enabled' I didn't think the scenario as named was saying much. The two new scenarios I guess would read
- Authorization Code Flow with grant hashing enabled using redirect_url
urn:ietf:wg:oauth:2.0:oob
. - Authorization Code Flow with grant hashing enabled using redirect_url
urn:ietf:wg:oauth:2.0:oob:auto
.
If expanded out.
Happy to change to whatever folks would prefer.
@montdidier |
Ok. I've changed the validation code, so now it should be consistent across both validators. Let me know what you think. |
@montdidier this looks good! I tested against the provider app and we're good to go, just make sure that the specs are passing and from my side it's good to merge |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍
Just minor comments about the failing specs. And don't forget please to squash your commits 🙏 and I think we can finish with the PR
@nbulaj Are you sure you want me to squash or will somebody squash when it comes to merge time in the UI? |
@montdidier please do, I think there is a reason why it's there |
c1bdcc8
to
0544123
Compare
@felipeelias there we go. let me know if anything else needs to happen. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Small comments
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some files could not be reviewed due to errors:
cannot load such file -- rubocop-performance
cannot load such file -- rubocop-performance /home/linters/.bundle/gems/rubocop-0.64.0/lib/rubocop/config_loader_resolver.rb:15:in `require' /home/linters/.bundle/gems/rubocop-0.64.0/lib/rubocop/config_loader_resolver.rb:15:in `block in resolve_requires' /home/linters/.bundle/gems/rubocop-0.64.0/lib/rubocop/config_loader_resolver.rb:11:in `each' /home/linters/.bundle/gems/rubocop-0.64.0/lib/rubocop/config_loader_resolver.rb:11:in `resolve_requires' /home/linters/.bundle/gems/rubocop-0.64.0/lib/rubocop/config_loader.rb:44:in `load_file' /home/linters/.bundle/gems/rubocop-0.64.0/lib/rubocop/config_loader.rb:82:in `configuration_from_file' /home/linters/.bundle/gems/rubocop-0.64.0/lib/rubocop/config_store.rb:44:in `for' /home/linters/.bundle/gems/rubocop-0.64.0/lib/rubocop/cli.rb:206:in `apply_default_formatter' /home/linters/.bundle/gems/rubocop-0.64.0/lib/rubocop/cli.rb:46:in `run' /home/linters/.bundle/gems/rubocop-0.64.0/exe/rubocop:13:in `block in ' /usr/local/lib/ruby/2.6.0/benchmark.rb:308:in `realtime' /home/linters/.bundle/gems/rubocop-0.64.0/exe/rubocop:12:in `' /home/linters/.bundle/bin/rubocop:23:in `load' /home/linters/.bundle/bin/rubocop:23:in `' /usr/local/lib/ruby/2.6.0/bundler/cli/exec.rb:74:in `load' /usr/local/lib/ruby/2.6.0/bundler/cli/exec.rb:74:in `kernel_load' /usr/local/lib/ruby/2.6.0/bundler/cli/exec.rb:28:in `run' /usr/local/lib/ruby/2.6.0/bundler/cli.rb:463:in `exec' /usr/local/lib/ruby/2.6.0/bundler/vendor/thor/lib/thor/command.rb:27:in `run' /usr/local/lib/ruby/2.6.0/bundler/vendor/thor/lib/thor/invocation.rb:126:in `invoke_command' /usr/local/lib/ruby/2.6.0/bundler/vendor/thor/lib/thor.rb:387:in `dispatch' /usr/local/lib/ruby/2.6.0/bundler/cli.rb:27:in `dispatch' /usr/local/lib/ruby/2.6.0/bundler/vendor/thor/lib/thor/base.rb:466:in `start' /usr/local/lib/ruby/2.6.0/bundler/cli.rb:18:in `start' /usr/local/lib/ruby/gems/2.6.0/gems/bundler-1.17.2/exe/bundle:30:in `block in ' /usr/local/lib/ruby/2.6.0/bundler/friendly_errors.rb:124:in `with_friendly_errors' /usr/local/lib/ruby/gems/2.6.0/gems/bundler-1.17.2/exe/bundle:22:in `' /usr/local/bin/bundle:23:in `load' /usr/local/bin/bundle:23:in `'
@montdidier could you please rebase with the current master? And fix conflicts please? I think this PR is ready to be merged, I have no objections. So you can squash it and we'll continue. |
…irection or loopback interface redirection
7511e4c
to
ebedb3c
Compare
@nbulaj done. |
Last @montdidier . Do we need to specify in our upgrade guides any breaking changes for this PR? I mean if something previously worked and now is broken - we need to define it. https://github.com/doorkeeper-gem/doorkeeper/wiki/Migration-from-old-versions |
@nbulaj It should not have changed for people using the old method of native support. It might be worth noting in the changes guide that the configuration setting |
@montdidier thank you for your contribution ❤️ |
@felipeelias No problem! Thank you, for your feedback and patience. |
@montdidier we currently support creating apps with a local redirect URI (using Am I right in assuming doorkeeper no longer supports this functionality? Should we remove our support for it? I don't mind removing it but I'm confused by your comments that "It should not have changed for people using the old method of native support." As far as I can tell, support for that method was entirely removed here. |
@ghiculescu if I remember correctly it still works but when you request the redirect url in the admin page you use |
@montdidier this is what our |
My memory is foggy on this topic because I have not looked at it since; so definitely double check what I am saying. So depending on how your app works you have a few options.
This basically puts the authorization token directly into a web view or the browser title view and the mobile app retrieves it from there. The
What did you app have for |
We had this: I guess we were using it as a nicer looking version of
Yep, that's what we were after, except I think it was mostly useful for generating auth tokens for testing quickly without necessarily implementing an Oauth flow. As far as I can tell it wasn't used in any meaningful way in production. Definitely a nice to have but not critical. |
This PR relates to the discussion here and here
I have loosened the validation to allow native apps to present a custom scheme. The old Google style OOB method is still supported (backwards compatible).
I have removed the
native_redirect_url
functionality but I don't know how you would like to deprecate it formally. My opinion is to keep the config for a while but print a deprecation warning (so upgraders do not break their app keeping their configuration from previously). The configuration has no impact on the workings of doorkeeper in this PR.