Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

fix: Prevent infinite redirects on oidc errors#6550

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
Emyrk merged 2 commits intomainfromstevenmasley/oidc_errors
Mar 10, 2023

Conversation

Emyrk
Copy link
Member

@EmyrkEmyrk commentedMar 10, 2023
edited
Loading

Providing an invalid scope-oidc-scopes openid,profile,email,bad on Okta OIDC provider causes infinite redirect loop.

@EmyrkEmyrk changed the titlefix: Prevent infinite redirects on bad oidc scopesfix: Prevent infinite redirects on oidc errorsMar 10, 2023
Copy link
Collaborator

@sreyasreya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Honestly a great find 👍

@johnstcnjohnstcn self-requested a reviewMarch 10, 2023 09:28
Copy link
Member

@johnstcnjohnstcn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Nice find Steven. Just a couple comments about how we handle theerror_description anderror_uri parameters.

// if for example we are providing and invalid scope.
// We should terminate the OIDC process if we encounter an error.
oidcError := r.URL.Query().Get("error")
errorDescription := r.URL.Query().Get("error_description")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Perthe OIDC spec only theerror response parameter is required; theerror_description field is optional so we should handle that being blank.

Also there is anerror_uri parameter that might be present so we should check for that as well.

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I do handle an emptyerror_description. TheDetails part of the error is extra developer debug info. If it is empty, we provide no extra details, since we have no extra information.

I can adderror_uri though 👍

Copy link
Member

@kylecarbskylecarbs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Woot woot! I've had URI mismatch on my OIDC setup so many times and I always had to inspect. Great change.

@EmyrkEmyrk merged commita8433b1 intomainMar 10, 2023
@EmyrkEmyrk deleted the stevenmasley/oidc_errors branchMarch 10, 2023 16:12
@github-actionsgithub-actionsbot locked and limited conversation to collaboratorsMar 10, 2023
Sign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.
Reviewers

@sreyasreyasreya approved these changes

@johnstcnjohnstcnjohnstcn approved these changes

@kylecarbskylecarbskylecarbs approved these changes

Assignees

@EmyrkEmyrk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

4 participants
@Emyrk@sreya@johnstcn@kylecarbs
[8]ページ先頭
©2009-2025 Movatter.jp