refactor: replace OAuth2 callback_url with RFC 6749 compliant redirect_uris #18810
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Warning This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
This stack of pull requests is managed by Graphite. Learn more about stacking. |
ThomasK33
force-pushed
the
thomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation
branch
from
dd9cb2f to
ae754f4
Compare
ThomasK33
force-pushed
the
thomask33/07-08-feat_replace_callback_url_with_redirect_uris_for_oauth2_rfc_6749_compliance
branch
from
f9e6552 to
1444efe
Compare
ThomasK33
changed the base branch from
thomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation
to
graphite-base/18810
ThomasK33
force-pushed
the
thomask33/07-08-feat_replace_callback_url_with_redirect_uris_for_oauth2_rfc_6749_compliance
branch
from
1444efe to
ef4a6c8
Compare
ThomasK33
force-pushed
the
graphite-base/18810
branch
from
ae754f4 to
ab73979
Compare
ThomasK33
changed the base branch from
graphite-base/18810
to
thomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation
ThomasK33
force-pushed
the
thomask33/07-08-feat_replace_callback_url_with_redirect_uris_for_oauth2_rfc_6749_compliance
branch
from
ef4a6c8 to
e24c4b5
Compare
ThomasK33
force-pushed
the
thomask33/07-08-feat_replace_callback_url_with_redirect_uris_for_oauth2_rfc_6749_compliance
branch
from
e24c4b5 to
98e7f95
Compare
ThomasK33
force-pushed
the
thomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation
branch
from
ab73979 to
b89c367
Compare
ThomasK33
force-pushed
the
thomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation
branch
from
b89c367 to
b73b71d
Compare
ThomasK33
force-pushed
the
thomask33/07-08-feat_replace_callback_url_with_redirect_uris_for_oauth2_rfc_6749_compliance
branch
from
98e7f95 to
2792051
Compare
This was referenced Jul 14, 2025
ThomasK33
changed the base branch from
thomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation
to
graphite-base/18810
ThomasK33
force-pushed
the
thomask33/07-08-feat_replace_callback_url_with_redirect_uris_for_oauth2_rfc_6749_compliance
branch
from
2792051 to
3dd0c37
Compare
ThomasK33
force-pushed
the
graphite-base/18810
branch
from
b73b71d to
386d77d
Compare
ThomasK33
changed the base branch from
graphite-base/18810
to
thomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation
ThomasK33
force-pushed
the
thomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation
branch
from
386d77d to
b58eed8
Compare
ThomasK33
force-pushed
the
thomask33/07-08-feat_replace_callback_url_with_redirect_uris_for_oauth2_rfc_6749_compliance
branch
from
3dd0c37 to
962c22c
Compare
ThomasK33
changed the base branch from
thomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation
to
graphite-base/18810
ThomasK33
force-pushed
the
thomask33/07-08-feat_replace_callback_url_with_redirect_uris_for_oauth2_rfc_6749_compliance
branch
from
962c22c to
bed62ad
Compare
ThomasK33
force-pushed
the
graphite-base/18810
branch
from
b58eed8 to
9393060
Compare
ThomasK33
changed the base branch from
graphite-base/18810
to
thomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation
Comment on lines
+7
to
+9
| -- being an array with a single NULL element. This is preferable to an empty | ||
| -- array as it will pass a CHECK for array length > 0, enforcing that all | ||
| -- apps have at least one URI entry, even if it's null. |
There was a problem hiding this comment.
Can't we make the CHECK check for the cardinality OR the "nullness"?
There was a problem hiding this comment.
I think I'm doing that in the client_credentials PR up in the stack, but I would need to double-check.
There was a problem hiding this comment.
I'm sorry. I just reread the comment. I'd rather not introduce a possible null here and perform a clean migration from callback_url to redirect_uris, then make sure that all of them get carried over.
The constraint for redirect_uris will be loosened in the PR introducing client_credentials. We'll then allow setting an empty redirect_uris array but not a null one.
| site.RenderStaticErrorPage(rw, r, site.ErrorPageData{ | ||
| Status: http.StatusInternalServerError, | ||
| HideStatus: false, | ||
| Title: "Internal Server Error", | ||
| Description: err.Error(), | ||
| Description: "OAuth2 app has no registered redirect URIs", |
There was a problem hiding this comment.
Ditto; bad request rather than internal server error.
…pliance Change-Id: I4823e475777ebdf75e3a80e47ff6bef1a556cd55 Signed-off-by: Thomas Kosiewski <tk@coder.com>
ThomasK33
force-pushed
the
thomask33/07-08-feat_replace_callback_url_with_redirect_uris_for_oauth2_rfc_6749_compliance
branch
from
bed62ad to
4fb1c39
Compare
ThomasK33
force-pushed
the
thomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation
branch
from
9393060 to
2c31819
Compare
aslilac
reviewed
Jul 17, 2025
site/src/pages/DeploymentSettingsPage/OAuth2AppsSettingsPage/OAuth2AppForm.tsx
Show resolved
Hide resolved
ThomasK33
changed the base branch from
thomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation
to
graphite-base/18810
johnstcn
reviewed
Jul 21, 2025
| Icon string `json:"icon"` | ||
| ID uuid.UUID `json:"id" format:"uuid"` | ||
| Name string `json:"name"` | ||
| RedirectURIs []string `json:"redirect_uris"` |
There was a problem hiding this comment.
As I understand, you could only get this response if the OAuth2 provider was enabled, which was only available on development builds and not release builds. So not a breaking change, correct?
There was a problem hiding this comment.
Yes, either a dev build or if one actively enables the oauth2 experiment
Comment on lines
+499
to
+502
| // RFC 6749: Exact match against registered redirect URIs | ||
| if slices.Contains(registeredRedirectURIs, redirectURIParam) { | ||
| return redirectURL | ||
| } |
There was a problem hiding this comment.
suggestion: add a link to the spec https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2.3
Comment on lines
+237
to
238
| // @Accept application/x-www-form-urlencoded | ||
| // @Produce json |
There was a problem hiding this comment.
I found it hard to believe, but here it is https://datatracker.ietf.org/doc/html/rfc8628#section-3.2
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
RFC 6749 Compliance: Replace callback_url with redirect_uris Array
This PR improves OAuth2 provider compliance with RFC 6749 by replacing the single
callback_urlfield with a properredirect_urisarray. This change allows OAuth2 clients to register multiple valid redirect URIs and enforces exact URI matching as required by the specification.Key changes:
callback_urlcolumn and makeredirect_uristhe source of truthThis change improves security by enforcing stricter redirect URI validation and provides more flexibility for OAuth2 clients that need multiple callback endpoints.