Have wildcards in redirect_uri of client configuration #2512

jillesvo · 2021-04-30T20:17:40Z

jillesvo
Apr 30, 2021

A client needs to be able to dynamically generate the redirect_uris on their end, so they are not able to give exact redirect_uris for us to configure in Hydra.

Is their any way with Hydra or a known workaround/solution to solve this issue?

Thanks a lot for any help!

Answered by vinckr

May 1, 2021

From the OAuth2.0 spec:

The authorization server SHOULD require the client to provide the
complete redirection URI (the client MAY use the "state" request
parameter to achieve per-request customization). If requiring the
registration of the complete redirection URI is not possible, the
authorization server SHOULD require the registration of the URI
scheme, authority, and path (allowing the client to dynamically vary
only the query component of the redirection URI when requesting
authorization).

I think what you are looking for is achieved in Hydra using the stateparameter
The state parameter will be appended to the redirect URL despite it not being whitelisted.

From Implementing Login, …

View full answer

vinckr · 2021-05-01T16:24:49Z

vinckr
May 1, 2021
Maintainer

From the OAuth2.0 spec:

The authorization server SHOULD require the client to provide the
complete redirection URI (the client MAY use the "state" request
parameter to achieve per-request customization). If requiring the
registration of the complete redirection URI is not possible, the
authorization server SHOULD require the registration of the URI
scheme, authority, and path (allowing the client to dynamically vary
only the query component of the redirection URI when requesting
authorization).

I think what you are looking for is achieved in Hydra using the stateparameter
The state parameter will be appended to the redirect URL despite it not being whitelisted.

From Implementing Login, Consent & Logout UI:

The URL query MAY contain key post_logout_redirect_uri indicating where the user agent should be redirected after the logout completed successfully. Each OAuth 2.0 Client can whitelist a list of URIs that can be used as the value using the post_logout_redirect_uris metadata field: /oauth2/sessions/logout?id_token_hint=...&post_logout_redirect_uri=https://i-must-be-whitelisted/
If post_logout_redirect_uri is set, the URL query SHOULD contain a state value. On successful redirection, this state value will be appended to the post_logout_redirect_uri. The functionality is equal to the state parameter when performing OAuth2 flows.

I hope that clears it up a bit 🐝

4 replies

jillesvo May 4, 2021
Author

Thanks a lot for the quick reply.
Sadly our client (big American company) won't be able to make the changes needed to support the state parameter. And their redirect_uris vary per customer. So I guess we'll have to find a way to workaround this.

aeneasr May 4, 2021
Maintainer

We highly discourage you from doing so - it will prevent you from becoming a certified OpenID Connect / OAuth2 provider because it is a security concern. Your client can not bind the laws of security, even if they are big :)

jillesvo May 4, 2021
Author

That is very clear. Thanks for the input.

Follow-up question: how many redirect_uris can you register per oauth client?

aeneasr May 4, 2021
Maintainer

no limit

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Have wildcards in redirect_uri of client configuration #2512

{{title}}

Replies: 1 comment 4 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Have wildcards in redirect_uri of client configuration #2512

jillesvo Apr 30, 2021

Replies: 1 comment · 4 replies

vinckr May 1, 2021 Maintainer

jillesvo May 4, 2021 Author

aeneasr May 4, 2021 Maintainer

jillesvo May 4, 2021 Author

aeneasr May 4, 2021 Maintainer

jillesvo
Apr 30, 2021

Replies: 1 comment 4 replies

vinckr
May 1, 2021
Maintainer

jillesvo May 4, 2021
Author

aeneasr May 4, 2021
Maintainer

jillesvo May 4, 2021
Author

aeneasr May 4, 2021
Maintainer