[ 
https://issues.apache.org/jira/browse/AIRFLOW-2185?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16388401#comment-16388401
 ] 

Sam Schlegel commented on AIRFLOW-2185:
---------------------------------------

Fix available inĀ https://github.com/apache/incubator-airflow/pull/3103

> OAuth2 based auth backends include query parameter in redirect_uri
> ------------------------------------------------------------------
>
>                 Key: AIRFLOW-2185
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-2185
>             Project: Apache Airflow
>          Issue Type: Bug
>          Components: authentication
>    Affects Versions: 1.9.0
>            Reporter: Sam Schlegel
>            Assignee: Sam Schlegel
>            Priority: Major
>
> Both the Google OAuth2 and GHE authentication plugins include the `next_url` 
> as a query parameter in redirect_uri. This breaks at least Google OAuth2, 
> unless you include the query parameter in the authorized redirection URI. 
> This isn't the most flexible solution, as you would have to do the same for 
> every potential next URL, and seems to go against the OAuth2 spec.
> Instead the next_url should be sent via the state parameter which MUST be 
> maintained by all spec compliant OAuth2 implementations, and is not used when 
> comparing redirection URIs.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to