feat(oidc): customizable base redirect uri

Closes ory-corp/cloud#2003

driver/config/config.go

@@ -158,6 +158,7 @@ const (
 	ViperKeyPasswordIdentifierSimilarityCheckEnabled         = "selfservice.methods.password.config.identifier_similarity_check_enabled"
 	ViperKeyIgnoreNetworkErrors                              = "selfservice.methods.password.config.ignore_network_errors"
 	ViperKeyTOTPIssuer                                       = "selfservice.methods.totp.config.issuer"
+	ViperKeyOIDCBaseRedirectURL                              = "selfservice.methods.oidc.config.base_redirect_uri"
 	ViperKeyWebAuthnRPDisplayName                            = "selfservice.methods.webauthn.config.rp.display_name"
 	ViperKeyWebAuthnRPID                                     = "selfservice.methods.webauthn.config.rp.id"
 	ViperKeyWebAuthnRPOrigin                                 = "selfservice.methods.webauthn.config.rp.origin"
@@ -506,6 +507,10 @@ func (p *Config) TOTPIssuer() string {
 	return p.Source().StringF(ViperKeyTOTPIssuer, p.SelfPublicURL().Hostname())
 }
 
+func (p *Config) OIDCRedirectURIBase() *url.URL {
+	return p.Source().URIF(ViperKeyOIDCBaseRedirectURL, p.SelfPublicURL())
+}
+
 func (p *Config) IdentityTraitsSchemas() (Schemas, error) {
 	var ss Schemas
 	out, err := p.p.Marshal(kjson.Parser())

embedx/config.schema.json

@@ -1382,6 +1382,15 @@
                   "type": "object",
                   "additionalProperties": false,
                   "properties": {
+                    "base_redirect_uri": {
+                      "type": "string",
+                      "title": "Base URL for OAuth2 Redirect URIs",
+                      "description": "Can be used to modify the base URL for OAuth2 Redirect URLs. If unset, the Public Base URL will be used.",
+                      "format": "uri",
+                      "examples": [
+                        "https://auth.myexample.org/"
+                      ]
+                    },
                     "providers": {
                       "title": "OpenID Connect and OAuth2 Providers",
                       "description": "A list and configuration of OAuth2 and OpenID Connect providers Ory Kratos should integrate with.",

selfservice/strategy/oidc/provider_auth0.go

@@ -56,7 +56,7 @@ func (g *ProviderAuth0) oauth2(ctx context.Context) (*oauth2.Config, error) {
 			TokenURL: tokenUrl.String(),
 		},
 		Scopes:      g.config.Scope,
-		RedirectURL: g.config.Redir(g.reg.Config(ctx).SelfPublicURL()),
+		RedirectURL: g.config.Redir(g.reg.Config(ctx).OIDCRedirectURIBase()),
 	}
 
 	return c, nil

selfservice/strategy/oidc/provider_discord.go

@@ -42,7 +42,7 @@ func (d *ProviderDiscord) oauth2(ctx context.Context) *oauth2.Config {
 			AuthURL:  discordgo.EndpointOauth2 + "authorize",
 			TokenURL: discordgo.EndpointOauth2 + "token",
 		},
-		RedirectURL: d.config.Redir(d.reg.Config(ctx).SelfPublicURL()),
+		RedirectURL: d.config.Redir(d.reg.Config(ctx).OIDCRedirectURIBase()),
 		Scopes:      d.config.Scope,
 	}
 }

selfservice/strategy/oidc/provider_generic_oidc.go

@@ -56,7 +56,7 @@ func (g *ProviderGenericOIDC) oauth2ConfigFromEndpoint(ctx context.Context, endp
 		ClientSecret: g.config.ClientSecret,
 		Endpoint:     endpoint,
 		Scopes:       scope,
-		RedirectURL:  g.config.Redir(g.reg.Config(ctx).SelfPublicURL()),
+		RedirectURL:  g.config.Redir(g.reg.Config(ctx).OIDCRedirectURIBase()),
 	}
 }
 

selfservice/strategy/oidc/provider_generic_test.go

@@ -50,6 +50,24 @@ func makeAuthCodeURL(t *testing.T, r *login.Flow, reg *driver.RegistryDefault) s
 func TestProviderGenericOIDC_AddAuthCodeURLOptions(t *testing.T) {
 	conf, reg := internal.NewFastRegistryWithMocks(t)
 	conf.MustSet(config.ViperKeyPublicBaseURL, "https://ory.sh")
+	t.Run("case=redirectURI is public base url", func(t *testing.T) {
+		r := &login.Flow{ID: x.NewUUID(), Refresh: true}
+		actual, err := url.ParseRequestURI(makeAuthCodeURL(t, r, reg))
+		require.NoError(t, err)
+		assert.Contains(t, actual.Query().Get("redirect_uri"), "https://ory.sh")
+	})
+
+	t.Run("case=redirectURI is public base url", func(t *testing.T) {
+		conf.MustSet(config.ViperKeyOIDCBaseRedirectURL, "https://example.org")
+		t.Cleanup(func() {
+			conf.MustSet(config.ViperKeyOIDCBaseRedirectURL, nil)
+		})
+		r := &login.Flow{ID: x.NewUUID(), Refresh: true}
+		actual, err := url.ParseRequestURI(makeAuthCodeURL(t, r, reg))
+		require.NoError(t, err)
+		assert.Contains(t, actual.Query().Get("redirect_uri"), "https://example.org")
+	})
+
 	t.Run("case=expect prompt to be login with forced flag", func(t *testing.T) {
 		r := &login.Flow{
 			ID:      x.NewUUID(),

selfservice/strategy/oidc/provider_github.go

@@ -43,7 +43,7 @@ func (g *ProviderGitHub) oauth2(ctx context.Context) *oauth2.Config {
 		ClientSecret: g.config.ClientSecret,
 		Endpoint:     github.Endpoint,
 		Scopes:       g.config.Scope,
-		RedirectURL:  g.config.Redir(g.reg.Config(ctx).SelfPublicURL()),
+		RedirectURL:  g.config.Redir(g.reg.Config(ctx).OIDCRedirectURIBase()),
 	}
 }
 

selfservice/strategy/oidc/provider_github_app.go

@@ -40,7 +40,7 @@ func (g *ProviderGitHubApp) oauth2(ctx context.Context) *oauth2.Config {
 		ClientSecret: g.config.ClientSecret,
 		Endpoint:     github.Endpoint,
 		Scopes:       g.config.Scope,
-		RedirectURL:  g.config.Redir(g.reg.Config(ctx).SelfPublicURL()),
+		RedirectURL:  g.config.Redir(g.reg.Config(ctx).OIDCRedirectURIBase()),
 	}
 }
 

selfservice/strategy/oidc/provider_gitlab.go

@@ -56,7 +56,7 @@ func (g *ProviderGitLab) oauth2(ctx context.Context) (*oauth2.Config, error) {
 			TokenURL: tokenUrl.String(),
 		},
 		Scopes:      g.config.Scope,
-		RedirectURL: g.config.Redir(g.reg.Config(ctx).SelfPublicURL()),
+		RedirectURL: g.config.Redir(g.reg.Config(ctx).OIDCRedirectURIBase()),
 	}, nil
 }
 

selfservice/strategy/oidc/provider_slack.go

@@ -44,7 +44,7 @@ func (d *ProviderSlack) oauth2(ctx context.Context) *oauth2.Config {
 			AuthURL:  "https://slack.com/oauth/authorize",
 			TokenURL: slack.APIURL + "oauth.access",
 		},
-		RedirectURL: d.config.Redir(d.reg.Config(ctx).SelfPublicURL()),
+		RedirectURL: d.config.Redir(d.reg.Config(ctx).OIDCRedirectURIBase()),
 		Scopes:      d.config.Scope,
 	}
 }

selfservice/strategy/oidc/provider_spotify.go

@@ -43,7 +43,7 @@ func (g *ProviderSpotify) oauth2(ctx context.Context) *oauth2.Config {
 		ClientSecret: g.config.ClientSecret,
 		Endpoint:     spotify.Endpoint,
 		Scopes:       g.config.Scope,
-		RedirectURL:  g.config.Redir(g.reg.Config(ctx).SelfPublicURL()),
+		RedirectURL:  g.config.Redir(g.reg.Config(ctx).OIDCRedirectURIBase()),
 	}
 }
 
@@ -64,7 +64,7 @@ func (g *ProviderSpotify) Claims(ctx context.Context, exchange *oauth2.Token) (*
 	}
 
 	auth := spotifyauth.New(
-		spotifyauth.WithRedirectURL(g.config.Redir(g.reg.Config(ctx).SelfPublicURL())),
+		spotifyauth.WithRedirectURL(g.config.Redir(g.reg.Config(ctx).OIDCRedirectURIBase())),
 		spotifyauth.WithScopes(spotifyauth.ScopeUserReadPrivate))
 
 	client := spotifyapi.New(auth.Client(ctx, exchange))

selfservice/strategy/oidc/provider_vk.go

@@ -43,7 +43,7 @@ func (g *ProviderVK) oauth2(ctx context.Context) *oauth2.Config {
 			TokenURL: "https://oauth.vk.com/access_token",
 		},
 		Scopes:      g.config.Scope,
-		RedirectURL: g.config.Redir(g.reg.Config(ctx).SelfPublicURL()),
+		RedirectURL: g.config.Redir(g.reg.Config(ctx).OIDCRedirectURIBase()),
 	}
 }
 

selfservice/strategy/oidc/provider_yandex.go

@@ -41,7 +41,7 @@ func (g *ProviderYandex) oauth2(ctx context.Context) *oauth2.Config {
 			TokenURL: "https://oauth.yandex.com/token",
 		},
 		Scopes:      g.config.Scope,
-		RedirectURL: g.config.Redir(g.reg.Config(ctx).SelfPublicURL()),
+		RedirectURL: g.config.Redir(g.reg.Config(ctx).OIDCRedirectURIBase()),
 	}
 }