Validate DCR redirect_uris with HTTPS-or-loopback policy#2860
Open
KirtiRamchandani wants to merge 1 commit into
Open
Validate DCR redirect_uris with HTTPS-or-loopback policy#2860KirtiRamchandani wants to merge 1 commit into
KirtiRamchandani wants to merge 1 commit into
Conversation
Validate DCR redirect_uris with HTTPS-or-loopback policy Fix CI: import order and reject non-loopback redirect test Mark redirect URI scheme requirement as implemented fix(auth): always validate required redirect_uris at registration fix(auth): guard required redirect_uris for pyright and coverage
KirtiRamchandani
force-pushed
the
fix/dcr-redirect-uri-validation
branch
from
728e429 to
55187a0
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Dynamic client registration accepts dangerous
redirect_urissuch asjavascript:,data:,file:, cleartext non-loopbackhttp://, and URIs with fragments. The SDK already enforces an HTTPS-or-loopback policy for issuer URLs, but DCR did not apply the same checks.Root cause
RegistrationHandlerpassed client-submittedredirect_urisstraight through after Pydantic URL parsing.AnyUrlaccepts any syntactically valid scheme.Fix
validate_registered_redirect_uri()alongside the existing issuer URL validator/registerinvalid_client_metadatawhen validation failsTesting
tests/server/auth/test_routes.pypython3 -m pytest tests/server/auth/test_routes.py -q --confcutdir=tests/server/authFixes #2629