goauthentik
OAuth2 redirect_uri can't be http unless percent-encoded
Describe the bug
When using an OAuth2 flow, if the redirect_uri is any of the following, it reaches Authentik and functions normally:
-
http%3A%2F%2Fhostname -
https%3A%2F%2Fhostname -
https://hostname
However, this one doesn't work:
-
http://hostname
Instead, it produces a 403 from openresty and never reaches Authentik itself.
To Reproduce Steps to reproduce the behavior:
- Create a OAuth2 provider where the
redirect_uriincludes anhttp://URI - Attempt to authenticate against this provider without percent-encoding the requested redirect target
- See error
Expected behavior
If percent-encoding is required, that's fine. But since raw :// is supported for https, it should be supported for http as well.
Screenshots
Not working:
Working:
Failing correctly (i.e. reaches Authentik and is not rejected by openresty):
Logs It appears that only the second two versions reach Authentik to be logged.
Version and Deployment (please complete the following information):
- authentik version: 2023.10.7
- Deployment: docker-compose
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![authentik-automation[bot] avatar](https://avatars.githubusercontent.com/in/340695?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
http://hostname fails as it's not URL encoded, which is why openresty is not forwarding the quest, every URL parameter must be URL encoded. As the request does not even reach authentik without precent-encoding, this is not an authentik issue.
Okay, if percent-encoding is required, that's a reasonable answer. But then why does https://hostname work?