-
-
Notifications
You must be signed in to change notification settings - Fork 751
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow multiple oAuth redirect domains #2430
Comments
For what it's worth, this was my solution, pretty similar: async getRedirect(data, params) {
const queryRedirect = params?.redirect || '';
const redirectOrigin = params?.query?.redirectOrigin || '';
const { redirect, redirectOrigins } = this.authentication.configuration.oauth;
if (!redirect) {
return null;
}
let redirectUrl = `${redirect}${queryRedirect}`;
if (redirectOrigins?.includes(redirectOrigin)) {
redirectUrl = `${redirectOrigin}${queryRedirect}`;
}
const sepChar = (redirect.indexOf('#') !== -1 ? '?' : '#');
const separator = redirect.endsWith('?') || redirect.endsWith('#') ? '' : sepChar;
const authResult = data;
const query = authResult.accessToken ? {
access_token: authResult.accessToken,
} : {
error: data.message || 'OAuth Authentication not successful',
};
return `${redirectUrl}${separator}${querystring.stringify(query)}`;
} |
This is interesting. While I’m assuming that `redirectOrigins` is an added slot in the oauth section of the configuration and is an array of acceptable origins, I’m not familiar with the query parameter `redirectOrigin`. When I run your code, `redirectOrigin` never has a value. Is there something that I have to do to enable this? How does it work? Assuming that the value is the origin from the original request (value of original “Referer” maybe?), how does it get transferred through the other redirects that occur during the OAuth flow (session?). I want to understand :)
Cheers,
Cliff
… On Aug 17, 2021, at 1:28 AM, Fraser ***@***.***> wrote:
For what it's worth, this was my solution:
async getRedirect(data, params) {
const queryRedirect = params?.redirect || '';
const redirectOrigin = params?.query?.redirectOrigin || '';
const { redirect, redirectOrigins } = this.authentication.configuration.oauth;
if (!redirect) {
return null;
}
let redirectUrl = `${redirect}${queryRedirect}`;
if (redirectOrigins?.includes(redirectOrigin)) {
redirectUrl = `${redirectOrigin}${queryRedirect}`;
}
const sepChar = (redirect.indexOf('#') !== -1 ? '?' : '#');
const separator = redirect.endsWith('?') || redirect.endsWith('#') ? '' : sepChar;
const authResult = data;
const query = authResult.accessToken ? {
access_token: authResult.accessToken,
} : {
error: data.message || 'OAuth Authentication not successful',
};
return `${redirectUrl}${separator}${querystring.stringify(query)}`;
}
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#2430 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAARWPKEFYEFIJ23RLJ3IGLT5HXRTANCNFSM5CINZM5A>.
|
The url should look something like this: you can generate it like: const { origin } = window.location;
`https://api.example.com/oauth/google?redirectOrigin=${encodeURIComponent(origin)}&redirect=/login` I definitely wouldn't call my solution better, just different. |
I like that because it means that the |
I think maybe a combo solution that detects const { href } = window.location;
`https://api.example.com/oauth/google?redirect=${encodeURIComponent(href)}` |
Thinking more about it, the default could be to use the HTTP |
This is an issue brought up in #2430 and by @cliffvick and confirmed by @mrfrase3: Currently oAuth authentication only supports redirecting to a single frontend URL after a successful login. However, sometimes you may want to authenticate the same API with different frontends using dynamic redirects. This can already be done by customizing the oAuth strategy
getRedirect
like this:https://gist.github.com/daffl/d0dee9cda7eee3d270bc99a1f1c67d9b
It might be worth adding an additional configuration option of
allowedRedirects
that takes an array of allowed URLs and checks the dynamic queryredirect
against that list similar to the above Gist.The text was updated successfully, but these errors were encountered: