Make redirect_uri optional #947
Comments
|
Is there any progress on this issue? I'm building a client application that implements a Two-legged OAuth2 strategy. Because of the validation on the |
|
Hi @Linuus. Does it correspond to the OAuth2 RFC ? It is required to do some research on this issue ... |
|
As I can see redirect_uri can be blank. So we need to see what we can do on Doorkeeper side |
|
@nbulaj Sorry for the late reply. Yes it looks like it is optional :) Thank you for taking a look at this! |
|
So I made some exploration about this issue. To implement this one it is required to:
If the first one is possible without any braking changes, the second one requires additional actions, especially for legacy projects with old versions of Doorkeeper. Other "side-effect" is that developers can set different grant flows (client credentials, password, auth code), but create all the applications without redirect URI... So the behavior of the Doorkeeper would be abnormal. It this case it is required to do more on top of auth logic of the gem. |
|
@kevinetore what kind of grant type do you use? |
|
@Linuus: This is just a side remark. But you should have a look into PKCE. iOS Apps totally should use the redirect flow. There even is a special mobile-App variation of authentication_code grant (with PKCE). That is created because you normally cannot really trust the client credentials of mobile apps. My feeling: This here is no real issue. There are some cases, where redirect_uri should not be needed (when there is some trusted server, that really only needs client_credentials flow) - but those are really rare cases. Mobile apps - never should need client credentials flow. I think, if a mobile app needs that - this API already can be assumed as to be public. |
|
I made some research and I think we can make Doorkeeper opionated enough. We can check configured grant types and if it's only So the only case in such implementation is when developer after some time (1 year for example) of using just password flow will add an |
|
I haven’t thought about this issue in years and the project where I used doorkeeper is dead :) But, it sounds reasonable to me! |
Fix #947: Allow blank redirect URI for URI-less grant flows
|
Finally this feature released: #1237 Doorkeeper automatically will allow to use blank redirect URIs in case server configured to use URI-less grant flows (client credentials, resource owner password). One thing you need to do is to remove [NOTE]: don't forget that if you will enable oauth grant flows that require redirect URI (like authorization code or implicit) - you applications automatically becomes invalid because they have a blank column. You wouldn't be able t create an application without redirect URI using Doorkeeper admin panel. So use this feature carefully. Read more here: https://github.com/doorkeeper-gem/doorkeeper/wiki/Allow-blank-redirect-URI-for-Applications |
Hi!
I have a question about the
redirect_uribeing required. I've seen a few other issues about this but they are all closed and I didn't find the answers that I need :)Let's say someone is building an iOS application. They would use the "client_credentials flow" to authenticate against doorkeeper. When they create the app in doorkeeper, what would they put in the redirect_uri field? Isn't it weird to just add some dummy uri? Since they will never use "authorization code flow" the redirect uri will never be used.
Isn't it appropriate to just make it mandatory for authorization code flow requests? So, if I don't enter a redirect_uri for my app, I can't use the "authorization code flow"? It's not like we need to redirect to any uri because of this, right?
I think Twitter is doing something similar on their callback url:
Perhaps I'm missing something obvious here so please enlighten me :D
The text was updated successfully, but these errors were encountered: