Skip to content

fix: allow non-HTTP URIs in OAuth2 provider redirect URIs #18880

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 1 commit into
base: thomask33/07-14-feat_oauth2_add_bulk_token_revocation_endpoint_with_usage_tracking
Choose a base branch
from

Conversation

ThomasK33
Copy link
Member

Changed OAuth2 redirect URI validation to accept custom URI schemes

This PR updates the validation for OAuth2 provider app redirect URIs to use the more flexible uri validator instead of the stricter http_url validator. This allows for custom URI schemes that don't follow reverse domain notation, while still blocking well-known schemes like http, https, ftp, etc.

The change removes the requirement that custom schemes must contain a period, making the validation more permissive for various client applications while maintaining security by continuing to block well-known schemes.

Copy link
Member Author

ThomasK33 commented Jul 15, 2025

@ThomasK33 ThomasK33 force-pushed the thomask33/07-15-fix_oauth2_allow_custom_uri_schemes_without_reverse_domain_notation_for_native_apps branch from 80b2b40 to a29e00a Compare July 17, 2025 13:43
@ThomasK33 ThomasK33 force-pushed the thomask33/07-14-feat_oauth2_add_bulk_token_revocation_endpoint_with_usage_tracking branch from 4e82d80 to 8830706 Compare July 17, 2025 13:43
@ThomasK33 ThomasK33 force-pushed the thomask33/07-15-fix_oauth2_allow_custom_uri_schemes_without_reverse_domain_notation_for_native_apps branch from a29e00a to 63934b4 Compare July 17, 2025 14:38
@ThomasK33 ThomasK33 force-pushed the thomask33/07-14-feat_oauth2_add_bulk_token_revocation_endpoint_with_usage_tracking branch from 8830706 to 13de8e2 Compare July 17, 2025 14:38
… for native apps

Change-Id: I4000cd39caa994efe0b76c4984e968f2963063ca
Signed-off-by: Thomas Kosiewski <tk@coder.com>
@ThomasK33 ThomasK33 force-pushed the thomask33/07-15-fix_oauth2_allow_custom_uri_schemes_without_reverse_domain_notation_for_native_apps branch from d9ecda1 to 0b47133 Compare July 17, 2025 16:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant