Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-2246

redirect_url should not have a query string included in it, but some cases retain a partial query string

    XMLWordPrintable

Details

    Description

      Original OAuth 2.0 spec: https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2.2

      Update for threat model and security considerations: https://www.rfc-editor.org/rfc/rfc6819#section-5.2.3.3

      The original spec allowed for query strings to be dynamic in redirect urls, but the update no longer allows them because they create potential security vulnerabilities. From this I would conclude that the query string is meant to be removed entirely. If that's the case, it makes `OidcRequestAuthenticator.stripOauthParametersFromRedirect()` redundant. It may also be appropriate to allow the redirect_url to be defined in the config, so Elytron doesn't need to derive it from the url which the user arrives at after authenticating.

      (see https://issues.redhat.com/browse/ELY-2242)

      Attachments

        Issue Links

          relates to

          Bug - A problem that impairs or prevents the functions of the product. ELY-2340 lost viewparams in redirect_uri

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Pull Request Sent

          Activity

            People

              Unassigned Unassigned
              mouseasw@gmail.com Martin Carney (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated: