Skip to content

Commit a29e00a

Browse files
committed
fix(oauth2): allow custom URI schemes without reverse domain notation for native apps
Change-Id: I4000cd39caa994efe0b76c4984e968f2963063ca Signed-off-by: Thomas Kosiewski <tk@coder.com>
1 parent 8830706 commit a29e00a

File tree

2 files changed

+2
-8
lines changed

2 files changed

+2
-8
lines changed

codersdk/oauth2.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -93,7 +93,7 @@ func (c *Client) OAuth2ProviderApp(ctx context.Context, id uuid.UUID) (OAuth2Pro
9393

9494
type PostOAuth2ProviderAppRequest struct {
9595
Name string `json:"name" validate:"required,oauth2_app_display_name"`
96-
RedirectURIs []string `json:"redirect_uris" validate:"dive,http_url"`
96+
RedirectURIs []string `json:"redirect_uris" validate:"dive,uri"`
9797
Icon string `json:"icon" validate:"omitempty"`
9898
GrantTypes []OAuth2ProviderGrantType `json:"grant_types,omitempty" validate:"dive,oneof=authorization_code refresh_token client_credentials urn:ietf:params:oauth:grant-type:device_code"`
9999
}
@@ -150,7 +150,7 @@ func (c *Client) PostOAuth2ProviderApp(ctx context.Context, app PostOAuth2Provid
150150

151151
type PutOAuth2ProviderAppRequest struct {
152152
Name string `json:"name" validate:"required,oauth2_app_display_name"`
153-
RedirectURIs []string `json:"redirect_uris" validate:"dive,http_url"`
153+
RedirectURIs []string `json:"redirect_uris" validate:"dive,uri"`
154154
Icon string `json:"icon" validate:"omitempty"`
155155
GrantTypes []OAuth2ProviderGrantType `json:"grant_types,omitempty" validate:"dive,oneof=authorization_code refresh_token client_credentials urn:ietf:params:oauth:grant-type:device_code"`
156156
}

codersdk/oauth2_validation.go

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -257,12 +257,6 @@ func isLoopbackAddress(hostname string) bool {
257257

258258
// isValidCustomScheme validates custom schemes for public clients (RFC 8252)
259259
func isValidCustomScheme(scheme string) bool {
260-
// For security and RFC compliance, require reverse domain notation
261-
// Should contain at least one period and not be a well-known scheme
262-
if !strings.Contains(scheme, ".") {
263-
return false
264-
}
265-
266260
// Block schemes that look like well-known protocols
267261
wellKnownSchemes := []string{"http", "https", "ftp", "mailto", "tel", "sms"}
268262
for _, wellKnown := range wellKnownSchemes {

0 commit comments

Comments
 (0)