Should I make this bug for FusionAuth team? - "file:///" errors on save
-
We are integrating a vendor Electron app with OIDC and FusionAuth 1.26.
The redirect_url that the vendor wants to use is: file:///vendorname/auth/callback (note the three forward slashes)
If you try to save "file:///vendorname/auth/callback" in the Edit Application screen you get this error, "Authorized redirect URLs - Invalid URL"
We thought this was a UI only error, so we tried to add the same file url via the API on
applicationRequest.application.oauthConfiguration.authorizedRedirectURLs.Add(@"file:///vendorname/auth/callback");
but we got this back as a response from fusionAuthClient.UpdateApplicationAsync:
"Invalid URL [file:///vendorname/auth/callback] for property [application.oauthConfiguration.authorizedRedirectURLs]."
Is this a legit bug for the FusionAuth team? Is there any way around this?
I can save the url as file://vendorname/auth/callback (note two forward slashes), but the vendor is insisting it be three forward slashes.
Any help or workarounds here?
Thanks.
-
I am not sure if this is a bug, but rather may be a security limit placed by the OAuth protocol that you are implementing through FusionAuth. I will have to check to see if this pattern ---
file:///...
qualifies as an absolute URI.In FusionAuth, the only valid redirects are outlined below.
An array of URLs that are the authorized redirect URLs for FusionAuth OAuth. Examples of valid redirect URIs: - https://example.com/redirect - com.myApp://redirect - com.myApp:/redirect AVAILABLE SINCE 1.7.0 You may now use URLs that do not begin with http to support native application redirect. Prior to this version the value will be validated to begin with http. AVAILABLE SINCE 1.12.0 You may now use URLs for application redirects that use a single slash to denote there is no naming authority for the scheme. Prior to this version a URL such as com.myApp:/redirect would fail validation as in invalid URL.
https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2
From the OAuth spec3.1.2. Redirection Endpoint
After completing its interaction with the resource owner, the
authorization server directs the resource owner's user-agent back to
the client. The authorization server redirects the user-agent to the
client's redirection endpoint previously established with the
authorization server during the client registration process or when
making the authorization request.The redirection endpoint URI MUST be an absolute URI as defined by
[RFC3986] Section 4.3. The endpoint URI MAY include an
"application/x-www-form-urlencoded" formatted (per Appendix B) query
component ([RFC3986] Section 3.4), which MUST be retained when adding
additional query parameters. The endpoint URI MUST NOT include a
fragment component.