IdentityServer icon indicating copy to clipboard operation
IdentityServer copied to clipboard
verified publisher icon DuendeSoftware

More options for redirect_uri validation

Open leastprivilege opened this issue 5 years ago • 1 comments

see

https://github.com/IdentityServer/IdentityServer4/issues/4865

leastprivilege avatar Dec 11 '20 15:12 leastprivilege

e.g. with JAR and PAR the spec allows more flexibility in validation. As of today the validator does not have that context.

leastprivilege avatar Dec 18 '20 08:12 leastprivilege

The idea would be to pass the validated request as a context param. Maybe we could add a new method on the interface with a default implementation to avoid the breaking change.

brockallen avatar Jan 10 '23 15:01 brockallen

The concern here is that passing the ValidatedRequest will only be partially populated based on where we perform URL validation. This means that only some of the context params are usable, but passing the whole ValidatedRequest seems confusing and too much. @leastprivilege @bigheadedmonster

brockallen avatar Jan 26 '23 18:01 brockallen

Maybe it's sufficient to pass over the raw request collection and/or any RequestObjectValues collected at this point in time.

brockallen avatar Jan 26 '23 18:01 brockallen

The things we need are Parameters, RequestObjectValues (if signed) and client context. Seems like a good fit for a new/specialized context class? :=) (and consider putting in a RequestSigned : bool, helper property)

Those things together give much control and power, as you can decorate the duence client object using your other interfaces.

bigheadedmonster avatar Jan 26 '23 20:01 bigheadedmonster

Draft PR opened -- have a look to see if that's sufficient of if there's something else. Thanks.

brockallen avatar Jan 26 '23 22:01 brockallen

Looks perfect :)

bigheadedmonster avatar Jan 27 '23 07:01 bigheadedmonster