Comments (6)
Ok, let me fix this bug.
from oauth2.
The changes have been submitted, you can try to update:
go get -u gopkg.in/oauth2.v3/...
from oauth2.
From the perspective of the protocol, the redirect url is indeed optional, but the protocol specification does not give a better implementation. Do you have any better implementation? Let's discuss it.
from oauth2.
The ClientStore
currently stores objects of the type Client
, which contains a Domain
field. This field should actually be an array of redirection URIs (https://tools.ietf.org/html/rfc6749#section-2). When a request contains a redirection uri, you should check if the given client has this uri in its redirection uris. When the redirection uri is omitted, you should redirect to the only registered redirection_uri of the client, or provide an option to mark one of the registered redirection uris as the default one.
The part with the omitted redirection uri is a bit vague and up to interpretation. I think the solution where you check for the only registered, or the default redurection uri seems like the most reasonable one.
from oauth2.
@LyricTian can close this I think
from oauth2.
I consider this to be a serious vulnerability. It cannot redirect anywhere other than explicitly permitted urls.
https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
If the request fails due to a missing, invalid, or mismatching
redirection URI, or if the client identifier is missing or invalid,
the authorization server SHOULD inform the resource owner of the
error and MUST NOT automatically redirect the user-agent to the
invalid redirection URI.
from oauth2.
Related Issues (20)
- server support for device code auth flow
- [Question] ed25519 sign method support ?
- use base64.RawURLEncoding instead of trimming the padding
- [bug]failed to refresh token
- Does this library support authentication via google and facebook? HOT 3
- When obtaining the token through auth2 concurrently, only the scope value is different, but the returned token is the same HOT 1
- Redirect URI is not compared to configured value HOT 2
- 我在go-zero中集成go-oauth2后,如何跨服务验证token HOT 1
- Is it possible to put the client id and client secret in headers instead of query params?
- how to handle concurrency/unique sessions
- Feature Request: use a local time.Now implementation through module to support testing
- GetRedirectURI return sso code url err HOT 2
- There is no method provided to clean up the specified clientid in the clientstore.
- configuring multiple domains for redirect_uri
- AllowedCodeChallengeMethods is forced to include plain.
- Why must set UserAuthorizationHandler? HOT 1
- Retrieve the clientID using the token?
- Missing refresh_token in response for client_credentials HOT 1
- Example doesn't work - access_denied HOT 2
- Validating redirect_uri via ValidateURIHandler is a bit weird
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oauth2.