Sam Schlegel created AIRFLOW-2185:
-------------------------------------

             Summary: OAuth2 based auth backends include query parameter in 
redirect_uri
                 Key: AIRFLOW-2185
                 URL: https://issues.apache.org/jira/browse/AIRFLOW-2185
             Project: Apache Airflow
          Issue Type: Bug
          Components: authentication
    Affects Versions: 1.9.0
            Reporter: Sam Schlegel
            Assignee: Sam Schlegel


Both the Google OAuth2 and GHE authentication plugins include the `next_url` as 
a query parameter in `redirect_uri`. This breaks at least Google OAuth2, unless 
you include the query parameter in the authorized redirect URI. This isn't the 
most flexible solution, as you would have to do the same for every potential 
next URL.

Instead, the next_url should be passed via state, per [[RFC6749] Section 
3.1.2|https://tools.ietf.org/html/rfc6749#section-3.1.2]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to