Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up
Appearance settings

refactor: replace OAuth2 callback_url with RFC 6749 compliant redirect_uris#18810

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Open
ThomasK33 wants to merge1 commit intothomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation
base:thomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation
Choose a base branch
Loading
fromthomask33/07-08-feat_replace_callback_url_with_redirect_uris_for_oauth2_rfc_6749_compliance

Conversation

ThomasK33
Copy link
Member

RFC 6749 Compliance: Replace callback_url with redirect_uris Array

This PR improves OAuth2 provider compliance with RFC 6749 by replacing the singlecallback_url field with a properredirect_uris array. This change allows OAuth2 clients to register multiple valid redirect URIs and enforces exact URI matching as required by the specification.

Key changes:

  • Migrated database schema to removecallback_url column and makeredirect_uris the source of truth
  • Updated API endpoints to accept and validate multiple redirect URIs
  • Modified OAuth2 authorization flow to perform exact URI matching against registered URIs
  • Changed device authorization endpoint to accept form-urlencoded data instead of JSON
  • Updated frontend to support adding/removing multiple redirect URIs
  • Added database migration with backward compatibility support

This change improves security by enforcing stricter redirect URI validation and provides more flexibility for OAuth2 clients that need multiple callback endpoints.

@ThomasK33Graphite App
Copy link
MemberAuthor

ThomasK33 commentedJul 9, 2025
edited
Loading

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stackon Graphite.
Learn more

This stack of pull requests is managed byGraphite. Learn more aboutstacking.

@ThomasK33ThomasK33force-pushed thethomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation branch fromdd9cb2f toae754f4CompareJuly 9, 2025 12:16
@ThomasK33ThomasK33force-pushed thethomask33/07-08-feat_replace_callback_url_with_redirect_uris_for_oauth2_rfc_6749_compliance branch fromf9e6552 to1444efeCompareJuly 9, 2025 12:16
@ThomasK33ThomasK33 changed the base branch fromthomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation tographite-base/18810July 9, 2025 15:19
@ThomasK33ThomasK33force-pushed thethomask33/07-08-feat_replace_callback_url_with_redirect_uris_for_oauth2_rfc_6749_compliance branch from1444efe toef4a6c8CompareJuly 9, 2025 22:21
@ThomasK33ThomasK33 changed the base branch fromgraphite-base/18810 tothomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocationJuly 9, 2025 22:21
@ThomasK33ThomasK33force-pushed thethomask33/07-08-feat_replace_callback_url_with_redirect_uris_for_oauth2_rfc_6749_compliance branch fromef4a6c8 toe24c4b5CompareJuly 10, 2025 09:15
@ThomasK33ThomasK33 requested a review fromjohnstcnJuly 10, 2025 09:25
@ThomasK33ThomasK33 marked this pull request as ready for reviewJuly 10, 2025 09:25
@ThomasK33ThomasK33force-pushed thethomask33/07-08-feat_replace_callback_url_with_redirect_uris_for_oauth2_rfc_6749_compliance branch frome24c4b5 to98e7f95CompareJuly 12, 2025 12:55
@ThomasK33ThomasK33force-pushed thethomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation branch fromab73979 tob89c367CompareJuly 12, 2025 12:55
@ThomasK33ThomasK33force-pushed thethomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation branch fromb89c367 tob73b71dCompareJuly 14, 2025 12:43
@ThomasK33ThomasK33force-pushed thethomask33/07-08-feat_replace_callback_url_with_redirect_uris_for_oauth2_rfc_6749_compliance branch from98e7f95 to2792051CompareJuly 14, 2025 12:43
@ThomasK33ThomasK33 changed the base branch fromthomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation tographite-base/18810July 14, 2025 15:16
@ThomasK33ThomasK33force-pushed thethomask33/07-08-feat_replace_callback_url_with_redirect_uris_for_oauth2_rfc_6749_compliance branch from2792051 to3dd0c37CompareJuly 14, 2025 16:22
@ThomasK33ThomasK33 changed the base branch fromgraphite-base/18810 tothomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocationJuly 14, 2025 16:22
@ThomasK33ThomasK33force-pushed thethomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation branch from386d77d tob58eed8CompareJuly 14, 2025 17:18
@ThomasK33ThomasK33force-pushed thethomask33/07-08-feat_replace_callback_url_with_redirect_uris_for_oauth2_rfc_6749_compliance branch from3dd0c37 to962c22cCompareJuly 14, 2025 17:18
@ThomasK33ThomasK33 changed the base branch fromthomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation tographite-base/18810July 15, 2025 16:03
@ThomasK33ThomasK33 changed the base branch fromthomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation tographite-base/18810July 21, 2025 12:15
Iconstring`json:"icon"`
IDuuid.UUID`json:"id" format:"uuid"`
Namestring`json:"name"`
RedirectURIs []string`json:"redirect_uris"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

As I understand, you could only get this response if the OAuth2 provider was enabled, which was only available on development builds and not release builds. So not a breaking change, correct?

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Yes, either a dev build or if one actively enables the oauth2 experiment

Comment on lines +499 to +502
// RFC 6749: Exact match against registered redirect URIs
ifslices.Contains(registeredRedirectURIs,redirectURIParam) {
returnredirectURL
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

ThomasK33 reacted with thumbs up emoji
Comment on lines +237 to 238
// @Acceptapplication/x-www-form-urlencoded
// @Produce json
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I found it hard to believe, but here it ishttps://datatracker.ietf.org/doc/html/rfc8628#section-3.2

ThomasK33 reacted with thumbs up emoji
Comment on lines +94 to +95
<divcss={{display:"flex",alignItems:"center",gap:8}}>
<spancss={{fontWeight:500,fontSize:14}}>Redirect URIs</span>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

could you please use tailwind classes? we're currently trying to move away from emotion

<IconButton
size="small"
onClick={addRedirectUri}
css={{padding:4}}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Suggested change
css={{padding:4}}
className="p-1"

same here, and for reference one tailwind "spacing" is basically 4px

{redirectUris.map((uri,index)=>(
<div
key={index}
css={{display:"flex",gap:8,alignItems:"flex-start"}}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Suggested change
css={{display:"flex",gap:8,alignItems:"flex-start"}}
className="flex gap-2 items-start"

<IconButton
size="small"
onClick={()=>removeRedirectUri(index)}
css={{padding:4,marginTop:index===0 ?8 :0}}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

is themarginTop here to "center" the button? if so you could useflex items-center.

also we probably want to add a story for this component, I went to look at it locally and it doesn't seem accessible from the existing OAuth2 stories.

@ThomasK33ThomasK33force-pushed thethomask33/07-08-feat_replace_callback_url_with_redirect_uris_for_oauth2_rfc_6749_compliance branch from4fb1c39 to055d631CompareJuly 23, 2025 16:53
@github-actionsgithub-actionsbot added the staleThis issue is like stale bread. labelJul 31, 2025
@ThomasK33ThomasK33 reopened thisAug 12, 2025
@ThomasK33ThomasK33 removed the staleThis issue is like stale bread. labelAug 12, 2025
@ThomasK33ThomasK33force-pushed thethomask33/07-08-feat_replace_callback_url_with_redirect_uris_for_oauth2_rfc_6749_compliance branch from055d631 tobdc94d5CompareAugust 12, 2025 16:30
@ThomasK33ThomasK33 changed the base branch fromgraphite-base/18810 tothomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocationAugust 12, 2025 16:30
@ThomasK33ThomasK33 assignedEmyrk and unassignedThomasK33Aug 12, 2025
@ThomasK33ThomasK33 changed the base branch fromthomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation tographite-base/18810August 12, 2025 16:49
…plianceChange-Id: I4823e475777ebdf75e3a80e47ff6bef1a556cd55Signed-off-by: Thomas Kosiewski <tk@coder.com>
@ThomasK33ThomasK33force-pushed thethomask33/07-08-feat_replace_callback_url_with_redirect_uris_for_oauth2_rfc_6749_compliance branch frombdc94d5 to67bf443CompareAugust 12, 2025 16:58
@ThomasK33ThomasK33 changed the base branch fromgraphite-base/18810 tothomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocationAugust 12, 2025 16:58
@github-actionsgithub-actionsbot added the staleThis issue is like stale bread. labelAug 20, 2025
@EmyrkEmyrk reopened thisAug 24, 2025
@github-actionsgithub-actionsbot removed the staleThis issue is like stale bread. labelAug 25, 2025
@github-actionsgithub-actionsbot added the staleThis issue is like stale bread. labelSep 1, 2025
@ThomasK33ThomasK33 deleted the thomask33/07-08-feat_replace_callback_url_with_redirect_uris_for_oauth2_rfc_6749_compliance branchSeptember 15, 2025 07:52
@ThomasK33ThomasK33 restored the thomask33/07-08-feat_replace_callback_url_with_redirect_uris_for_oauth2_rfc_6749_compliance branchSeptember 15, 2025 07:54
@EmyrkEmyrk reopened thisOct 6, 2025
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers

@dannykoppingdannykoppingdannykopping left review comments

@aslilacaslilacaslilac left review comments

@johnstcnjohnstcnjohnstcn left review comments

@EmyrkEmyrkAwaiting requested review from Emyrk

@mafredrimafredriAwaiting requested review from mafredri

Assignees

@EmyrkEmyrk

Labels
staleThis issue is like stale bread.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

5 participants
@ThomasK33@dannykopping@aslilac@johnstcn@Emyrk

[8]ページ先頭

©2009-2025 Movatter.jp