Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"localhost" is not considered a valid host for "openIdConnectUrl" #338

Closed
JenswBE opened this issue Oct 22, 2021 · 4 comments
Closed

"localhost" is not considered a valid host for "openIdConnectUrl" #338

JenswBE opened this issue Oct 22, 2021 · 4 comments

Comments

@JenswBE
Copy link

JenswBE commented Oct 22, 2021

Problem

Linter doesn't like localhost in openIdConnectUrl

# File: openapi.yml
  securitySchemes:
    localAuth:
      type: openIdConnect
      openIdConnectUrl: http://localhost:9001/auth/realms/go-commerce/.well-known/openid-configuration
  Message :   openIdConnectUrl must be defined for openIdConnect property and must be a valid URL
  Rule    :   builtin
  Path    :   securitySchemes.localAuth
  Line    :   0

Workaround

A simple workaround is to use 127.0.0.1 instead.

Possible solutions

After some digging in the source code, I see you're using the helper isURL from package validate to check this url: https://github.com/IBM/openapi-validator/blob/main/src/plugins/validation/oas3/semantic-validators/security-definitions-ibm.js#L168

I see 2 solutions to this issue:

  1. Use option { host_whitelist: ['localhost'] } as second argument to isURL. This seems the cleanest solution to me. Unfortunately, there is a related issue and PR. The fix is not yet merged on the latest release, but the option could already be provided. Therefore, the issue will be automatically solved when the version of validate can be bumped.
  2. Use option { require_tld: false } as second argument to isURL. This will immediately solve the issue, but also allow non fully qualified domain names. Depending on how strict you want the check to be, this might be a show stopper.
@dpopp07
Copy link
Member

dpopp07 commented Oct 25, 2021

Thanks for the issue and explanations. It is my preference that we wait on this to see if validator releases a new version soon to take advantage of default behavior. If they do not, I would be happy to accept a PR specifically allow-listing "localhost"

@JenswBE
Copy link
Author

JenswBE commented Oct 26, 2021
edited

If I understood correctly the issue, it only fixes the order of host_whitelist vs other options. So, localhost won't be allow-listed by default and still an explicit allow-listing is needed using host_whitelist or require_tld.

But fine for me to wait for the next release as there is an easy workaround available.

@JenswBE
Copy link
Author

JenswBE commented Jul 21, 2022

Seems validator will never put it as default as it's not valid accordingly to the RFC. See validatorjs/validator.js#1609 for more info.

Are you open to consider { host_whitelist: ['localhost'] }? If not, feel free to close this ticket.

JenswBE added a commit to JenswBE/go-commerce that referenced this issue Jul 21, 2022
@JenswBE
Rename localhost to 127.0.0.1
f31dd71 
Due to IBM/openapi-validator#338
JenswBE added a commit to JenswBE/go-commerce-admin that referenced this issue Jul 21, 2022
@JenswBE
Rename localhost to 127.0.0.1
2e29e8a 
Due to IBM/openapi-validator#338
@dpopp07
Copy link
Member

dpopp07 commented Jul 25, 2022

Hey @JenswBE after some internal discussion, we decided not to support localhost as a valid URL. Thank you for the issue!

@dpopp07 dpopp07 closed this as completed Jul 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JenswBE @dpopp07