oauth2-rs
oauth2-rs copied to clipboard
RedirectPolicy forced to none
Howdy! I am new to OAuth as a protocol and working in an "edge case" situation where I'm using this crate for a OAuth Distributed, which in my case requires initial my auth flow to include a redirect. Essentially the auth server itself is protected and you must first auth with a public gateway you're redirected to. I wanted to hear your thoughts on how strong the below mandate should be. Would you accept PR to make it settable despite the risks? If not, of course I can just make my own methods for http_client
. Thanks for your work on this crate, it is making my life easier right now.
https://github.com/ramosbugs/oauth2-rs/blob/7c10cf07feb9538f9cc66dcb457bd36fbb1ca864/src/reqwest.rs#L55-L59
Hey @mooreniemi, I'm not very well-versed in that RFC, but from a cursory glance it looks like the discovery process involves a separate request/response prior to starting the normal OAuth flow. I don't think enabling the HTTP client to follow redirects during the token request (or the other server-to-server endpoints) would be required to support OAuth Discovery, but I may be misunderstanding something. It seems like you'd need to make the discovery request, parse the response, and then construct an oauth2::Client
specifying the endpoints returned in the discovery response. The openidconnect
crate does something similar for OpenID Connect discovery.
If I'm indeed misunderstanding, would you mind providing a bit more detail about where in the flow there's an HTTP redirect being returned that this crate would need to follow in order to support this flow?
I don't know how much of internal docs I can share. Basically once the auth server redirects me, that followed request itself returns a StandardTokenResponse
, so I may be misunderstanding but I thought if I could reuse http_client
here that's cleaner than setting up a secondary client whose sole purpose is just to mimic it but change only the RedirectPolicy
.
hmm it sounds like a bit of an odd (or at least quite uncommon) use case to have a redirect in response to this sort of POST request, so I think it would be better to use a custom http_client
than to expose that interface directly in this crate. fortunately, that only requires about 30 lines of code: https://github.com/ramosbugs/oauth2-rs/blob/c7945cea0f85352eb1a43a4395d3bb6dc719f49f/src/reqwest.rs#L96-L128
Closing due to inactivity.