oauth2-rs icon indicating copy to clipboard operation
oauth2-rs copied to clipboard

Published 20 hours ago verified publisher icon ramosbugs

RedirectPolicy forced to none

Open mooreniemi opened this issue 3 years ago • 3 comments

Howdy! I am new to OAuth as a protocol and working in an "edge case" situation where I'm using this crate for a OAuth Distributed, which in my case requires initial my auth flow to include a redirect. Essentially the auth server itself is protected and you must first auth with a public gateway you're redirected to. I wanted to hear your thoughts on how strong the below mandate should be. Would you accept PR to make it settable despite the risks? If not, of course I can just make my own methods for http_client. Thanks for your work on this crate, it is making my life easier right now.

https://github.com/ramosbugs/oauth2-rs/blob/7c10cf07feb9538f9cc66dcb457bd36fbb1ca864/src/reqwest.rs#L55-L59

mooreniemi avatar May 08 '21 22:05 mooreniemi

Hey @mooreniemi, I'm not very well-versed in that RFC, but from a cursory glance it looks like the discovery process involves a separate request/response prior to starting the normal OAuth flow. I don't think enabling the HTTP client to follow redirects during the token request (or the other server-to-server endpoints) would be required to support OAuth Discovery, but I may be misunderstanding something. It seems like you'd need to make the discovery request, parse the response, and then construct an oauth2::Client specifying the endpoints returned in the discovery response. The openidconnect crate does something similar for OpenID Connect discovery.

If I'm indeed misunderstanding, would you mind providing a bit more detail about where in the flow there's an HTTP redirect being returned that this crate would need to follow in order to support this flow?

ramosbugs avatar May 08 '21 23:05 ramosbugs

I don't know how much of internal docs I can share. Basically once the auth server redirects me, that followed request itself returns a StandardTokenResponse, so I may be misunderstanding but I thought if I could reuse http_client here that's cleaner than setting up a secondary client whose sole purpose is just to mimic it but change only the RedirectPolicy.

mooreniemi avatar May 09 '21 22:05 mooreniemi

hmm it sounds like a bit of an odd (or at least quite uncommon) use case to have a redirect in response to this sort of POST request, so I think it would be better to use a custom http_client than to expose that interface directly in this crate. fortunately, that only requires about 30 lines of code: https://github.com/ramosbugs/oauth2-rs/blob/c7945cea0f85352eb1a43a4395d3bb6dc719f49f/src/reqwest.rs#L96-L128

ramosbugs avatar May 09 '21 22:05 ramosbugs

Closing due to inactivity.

ramosbugs avatar Oct 07 '22 06:10 ramosbugs