FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Should I make this bug for FusionAuth team? - "file:///" errors on save

    Scheduled Pinned Locked Moved
    General Discussion
    0
    2
    519
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fred.fred
      last edited by fred.fred

      We are integrating a vendor Electron app with OIDC and FusionAuth 1.26.

      The redirect_url that the vendor wants to use is: file:///vendorname/auth/callback (note the three forward slashes)

      If you try to save "file:///vendorname/auth/callback" in the Edit Application screen you get this error, "Authorized redirect URLs - Invalid URL"

      We thought this was a UI only error, so we tried to add the same file url via the API on

      applicationRequest.application.oauthConfiguration.authorizedRedirectURLs.Add(@"file:///vendorname/auth/callback");

      but we got this back as a response from fusionAuthClient.UpdateApplicationAsync:

      "Invalid URL [file:///vendorname/auth/callback] for property [application.oauthConfiguration.authorizedRedirectURLs]."

      Is this a legit bug for the FusionAuth team? Is there any way around this?

      I can save the url as file://vendorname/auth/callback (note two forward slashes), but the vendor is insisting it be three forward slashes.

      Any help or workarounds here?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • joshuaJ
        joshua
        last edited by

        @fred-fred

        I am not sure if this is a bug, but rather may be a security limit placed by the OAuth protocol that you are implementing through FusionAuth. I will have to check to see if this pattern --- file:///... qualifies as an absolute URI.

        In FusionAuth, the only valid redirects are outlined below.

        An array of URLs that are the authorized redirect URLs for FusionAuth OAuth.

Examples of valid redirect URIs:

- https://example.com/redirect

- com.myApp://redirect

- com.myApp:/redirect

AVAILABLE SINCE 1.7.0



You may now use URLs that do not begin with http to support native application redirect. Prior to this version the value will be validated to begin with http.

AVAILABLE SINCE 1.12.0

You may now use URLs for application redirects that use a single slash to denote there is no naming authority for the scheme. Prior to this version a URL such as com.myApp:/redirect would fail validation as in invalid URL.

        https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2
        From the OAuth spec

        3.1.2. Redirection Endpoint

        After completing its interaction with the resource owner, the
        authorization server directs the resource owner's user-agent back to
        the client. The authorization server redirects the user-agent to the
        client's redirection endpoint previously established with the
        authorization server during the client registration process or when
        making the authorization request.

        The redirection endpoint URI MUST be an absolute URI as defined by
        [RFC3986] Section 4.3. The endpoint URI MAY include an
        "application/x-www-form-urlencoded" formatted (per Appendix B) query
        component ([RFC3986] Section 3.4), which MUST be retained when adding
        additional query parameters. The endpoint URI MUST NOT include a
        fragment component.

        1 Reply Last reply Reply Quote 1
        • First post
          Last post