FusionAuth
Remove Get Parameter from /oauth2/authorize and /oauth2/register
Remove Get Parameter from /oauth2/authorize and /oauth2/register
Problem
A lot of users have the habit of bookmarking and sharing the login URL. If this URL is changing, which can have multiple reasons one example refactoring the redirect_uri=, the bookmarked URL ends up to be invalid.
This can cause, especially with a large user base, a lot of bad requests possibly over many months to the auth system and support requests to the application / support teams.
Solution
When a request is made to the oauth2 endpoints store the information and immediately redirect once more to something like a no-login URL.
If this page is receiving only a GET request without the session / POST parameter it will display a message that this request is invalid and please return to the application URL or something along the line.
Alternatives/workarounds
TBD
Additional context
TBD
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.
This is something we have discussed. But not for the end user, but because it would allow us to more easily support POST bindings.
But in a general sense, users should never bookmark the URL to /oauth2/authorize. An app should have a login URL such as https://my-company.com/login which should return a 302 redirect to /oauth2/authorize.
How would adding this intermediate redirect help end users book marking this page?
As soon as you use PKCE, a nonce, or any state bookmarking will break, in addition to the example you provide with redirect_uri.
Added documentation tag as using the /login redirect is a best practice that we haven't documented anywhere I know of.
@robotdan I don't fully understand how creating a redirect to /oauth2/authorize would prevent the user from bookmarking the URL? I fully agree that a user should not bookmark or in any form use this URL but as long it isn't "hidden" from the user by e.g. immediately redirect away from it, you can't stop the user from doing so?
@robotdan We have the following scenario in our platform:
We give a user their organisation URL and tell them that this is the way how they are able to access their organisation:
- https://demo1.org.myapp.dev/
When the user opens the URL they get automatically redirected to FusionAuth, which includes a redirect_uri to our oauth-callback API which then gets the user back to https://demo1.org.myapp.dev/ after a successful login.
https://myidentity.dev/oauth2/authorize?client_id=c16fcd21-8727-45bf-81f0-4d335ffe890e&redirect_uri=https://admin.api.myapp.dev/api/auth/oauth-callback&response_type=code&scope=offline_access&state=qsdip14b4kpyy7okapd8h9j8g3qbdlyhozv1i72dzpft7ea4cs6xtw07q1uoe1wp:demo1
At this point the users often bookmark the "site" because they likely don't have the understanding that myidentity.dev is independent from demo1.org.myapp.dev.
This URL is valid only once. Which means when the user accesses that URL through the bookmark a second time our https://admin.api.myapp.dev/api/auth/oauth-callback API won't be able to handle the response from FusionAuth and won't be able to redirect the user to the correct organisation.
We've started for other reasons to implement a "pre-login page" but with that the user does not get redirected directly to fusionauth when not authenticated, which makes it more likely that the user bookmarks our application rather than fusionauth.
But coming back to the original request, if the user gets redirected to: https://myidentity.dev/oauth2/authorize?client_id=c16fcd21-8727-45bf-81f0-4d335ffe890e&redirect_uri=https://admin.api.myapp.dev/api/auth/oauth-callback&response_type=code&scope=offline_access&state=qsdip14b4kpyy7okapd8h9j8g3qbdlyhozv1i72dzpft7ea4cs6xtw07q1uoe1wp:demo1
It would be good if there is a immediate second redirect to https://myidentity.dev/oauth2/authorize hiding the GET parameter from the user.
And if the case happens that the user bookmarks the fusionauth url you can display a error message when the user opens the bookmark for https://myidentity.dev/oauth2/authorize e.g. telling the user that this page should not be bookmarked.