[ 
https://issues.apache.org/jira/browse/AIRFLOW-2185?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sam Schlegel updated AIRFLOW-2185:
----------------------------------
    Description: 
Both the Google OAuth2 and GHE authentication plugins include the `next_url` as 
a query parameter in redirect_uri. This breaks at least Google OAuth2, unless 
you include the query parameter in the authorized redirection URI. This isn't 
the most flexible solution, as you would have to do the same for every 
potential next URL, and seems to go against the OAuth2 spec.

Instead the next_url should be sent via the state parameter which MUST be 
maintained by all spec compliant OAuth2 implementations, and is not used when 
comparing redirection URIs.

  was:
Both the Google OAuth2 and GHE authentication plugins include the `next_url` as 
a query parameter in `redirect_uri`. This breaks at least Google OAuth2, unless 
you include the query parameter in the authorized redirect URI. This isn't the 
most flexible solution, as you would have to do the same for every potential 
next URL.

Instead, the next_url should be passed via state, per 
[https://tools.ietf.org/html/rfc6749#section-3.1.2]


> OAuth2 based auth backends include query parameter in redirect_uri
> ------------------------------------------------------------------
>
>                 Key: AIRFLOW-2185
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-2185
>             Project: Apache Airflow
>          Issue Type: Bug
>          Components: authentication
>    Affects Versions: 1.9.0
>            Reporter: Sam Schlegel
>            Assignee: Sam Schlegel
>            Priority: Major
>
> Both the Google OAuth2 and GHE authentication plugins include the `next_url` 
> as a query parameter in redirect_uri. This breaks at least Google OAuth2, 
> unless you include the query parameter in the authorized redirection URI. 
> This isn't the most flexible solution, as you would have to do the same for 
> every potential next URL, and seems to go against the OAuth2 spec.
> Instead the next_url should be sent via the state parameter which MUST be 
> maintained by all spec compliant OAuth2 implementations, and is not used when 
> comparing redirection URIs.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to