Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gracefully handle redirect for DPoP #493

Merged
merged 10 commits into from
Oct 30, 2020
Merged

Gracefully handle redirect for DPoP #493

merged 10 commits into from
Oct 30, 2020

Commits on Oct 30, 2020

  1. DPoP-authenticated fetch manages redirection 

    Since a DPoP header is scoped to one target IRI, if the request is redirected, the DPoP header is invalid, which results in a 401 unauthenticated. To fix the issue, the fetch must capture the redirection, and replay the request to the actual target IRI.
    @NSeydoux
    NSeydoux committed Oct 30, 2020
    Configuration menu
    Copy the full SHA
    052b627 View commit details
    Browse the repository at this point in the history

  2. Checks response's URL to detect redirect 

    Tests showed that e.g. a 303 did not set response.redirected to true. In order for the redirection detection to be successful, the response's URl is compared to the original fetch parameter.
    @NSeydoux
    NSeydoux committed Oct 30, 2020
    Configuration menu
    Copy the full SHA
    13a5bf6 View commit details
    Browse the repository at this point in the history

  3. Updated changelog

    @NSeydoux
    NSeydoux committed Oct 30, 2020
    Configuration menu
    Copy the full SHA
    c4fecad View commit details
    Browse the repository at this point in the history

  4. DPoP fetch follows redirects 

    In order to avoid to issue an additional request in case a redirect leads to an error, the redirections are handled manually, and not internally by the browser. This means that each individual request has an appropriate DPoP header, matching the actual target resource.
    @NSeydoux
    NSeydoux committed Oct 30, 2020
    Configuration menu
    Copy the full SHA
    92ee19c View commit details
    Browse the repository at this point in the history

  5. Added e2e tests for redirection

    @NSeydoux
    NSeydoux committed Oct 30, 2020
    Configuration menu
    Copy the full SHA
    1019104 View commit details
    Browse the repository at this point in the history

  6. Diabled manual redirect 

    Fetching with 'redirect: manual' doesn't allow to get the target IRI, which prevents from succesfully redirecting. This rolls back to the previous approach, but prevents from replaying a request if a non-auth error is reported.
    @NSeydoux
    NSeydoux committed Oct 30, 2020
    Configuration menu
    Copy the full SHA
    85a870a View commit details
    Browse the repository at this point in the history

  7. Implemented the new interface in the demo app

    @NSeydoux
    NSeydoux committed Oct 30, 2020
    Configuration menu
    Copy the full SHA
    40a6464 View commit details
    Browse the repository at this point in the history

  8. Removed the "redirect: manual" flag from fetch

    @NSeydoux
    NSeydoux committed Oct 30, 2020
    Configuration menu
    Copy the full SHA
    a22a607 View commit details
    Browse the repository at this point in the history

  9. Added comment to justify expected error codes

    @NSeydoux
    NSeydoux committed Oct 30, 2020
    Configuration menu
    Copy the full SHA
    2ed5a4a View commit details
    Browse the repository at this point in the history

  10. Applied refresh token management changes

    @NSeydoux
    NSeydoux committed Oct 30, 2020
    Configuration menu
    Copy the full SHA
    4080b26 View commit details
    Browse the repository at this point in the history