airflow-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sam Schlegel (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AIRFLOW-2185) OAuth2 based auth backends include query parameter in redirect_uri
Date Mon, 19 Mar 2018 18:47:00 GMT

    [ https://issues.apache.org/jira/browse/AIRFLOW-2185?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16405265#comment-16405265
] 

Sam Schlegel commented on AIRFLOW-2185:
---------------------------------------

[~Fokko] Thanks!

> OAuth2 based auth backends include query parameter in redirect_uri
> ------------------------------------------------------------------
>
>                 Key: AIRFLOW-2185
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-2185
>             Project: Apache Airflow
>          Issue Type: Bug
>          Components: authentication
>    Affects Versions: 1.9.0
>            Reporter: Sam Schlegel
>            Assignee: Sam Schlegel
>            Priority: Major
>             Fix For: 2.0.0
>
>
> Both the Google OAuth2 and GHE authentication plugins include the `next_url` as a query
parameter in redirect_uri. This breaks at least Google OAuth2, unless you include the query
parameter in the authorized redirection URI. This isn't the most flexible solution, as you
would have to do the same for every potential next URL, and seems to go against the OAuth2
spec.
> Instead the next_url should be sent via the state parameter which MUST be maintained
by all spec compliant OAuth2 implementations, and is not used when comparing redirection URIs.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message