airflow-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AIRFLOW-2185) OAuth2 based auth backends include query parameter in redirect_uri
Date Thu, 15 Mar 2018 08:03:00 GMT

    [ https://issues.apache.org/jira/browse/AIRFLOW-2185?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16400051#comment-16400051
] 

ASF subversion and git services commented on AIRFLOW-2185:
----------------------------------------------------------

Commit eeca38396015589f7dddd67f8836d5d8aa7ac010 in incubator-airflow's branch refs/heads/master
from [~SamSchlegel]
[ https://git-wip-us.apache.org/repos/asf?p=incubator-airflow.git;h=eeca383 ]

[AIRFLOW-2185] Use state instead of query param

Both the Google OAuth2 and GHE authentication
plugins include the
`next_url` as a query parameter in redirect_uri.
This breaks at least
Google OAuth2, unless you include the query
parameter in the
authorized redirection URI. This isn't the most
flexible solution, as you
would have to do the same for every potential next
URL, and seems to
go against the OAuth2 spec.

Instead the next_url should be sent via the state
parameter which MUST
be maintained by all spec compliant OAuth2
implementations, and is not
used when comparing redirection URIs.

Closes #3103 from samschlegel/AIRFLOW-2185


> OAuth2 based auth backends include query parameter in redirect_uri
> ------------------------------------------------------------------
>
>                 Key: AIRFLOW-2185
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-2185
>             Project: Apache Airflow
>          Issue Type: Bug
>          Components: authentication
>    Affects Versions: 1.9.0
>            Reporter: Sam Schlegel
>            Assignee: Sam Schlegel
>            Priority: Major
>             Fix For: 2.0.0
>
>
> Both the Google OAuth2 and GHE authentication plugins include the `next_url` as a query
parameter in redirect_uri. This breaks at least Google OAuth2, unless you include the query
parameter in the authorized redirection URI. This isn't the most flexible solution, as you
would have to do the same for every potential next URL, and seems to go against the OAuth2
spec.
> Instead the next_url should be sent via the state parameter which MUST be maintained
by all spec compliant OAuth2 implementations, and is not used when comparing redirection URIs.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message