Repository: incubator-airflow Updated Branches: refs/heads/master 7a880a7e9 -> eeca38396
[AIRFLOW-2185] Use state instead of query param Both the Google OAuth2 and GHE authentication plugins include the `next_url` as a query parameter in redirect_uri. This breaks at least Google OAuth2, unless you include the query parameter in the authorized redirection URI. This isn't the most flexible solution, as you would have to do the same for every potential next URL, and seems to go against the OAuth2 spec. Instead the next_url should be sent via the state parameter which MUST be maintained by all spec compliant OAuth2 implementations, and is not used when comparing redirection URIs. Closes #3103 from samschlegel/AIRFLOW-2185 Project: http://git-wip-us.apache.org/repos/asf/incubator-airflow/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-airflow/commit/eeca3839 Tree: http://git-wip-us.apache.org/repos/asf/incubator-airflow/tree/eeca3839 Diff: http://git-wip-us.apache.org/repos/asf/incubator-airflow/diff/eeca3839 Branch: refs/heads/master Commit: eeca38396015589f7dddd67f8836d5d8aa7ac010 Parents: 7a880a7 Author: Sam Schlegel <g...@lutin.us> Authored: Thu Mar 15 09:01:54 2018 +0100 Committer: Fokko Driesprong <fokkodriespr...@godatadriven.com> Committed: Thu Mar 15 09:01:54 2018 +0100 ---------------------------------------------------------------------- airflow/contrib/auth/backends/github_enterprise_auth.py | 6 +++--- airflow/contrib/auth/backends/google_auth.py | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/eeca3839/airflow/contrib/auth/backends/github_enterprise_auth.py ---------------------------------------------------------------------- diff --git a/airflow/contrib/auth/backends/github_enterprise_auth.py b/airflow/contrib/auth/backends/github_enterprise_auth.py index 2d7b345..6e4ec30 100644 --- a/airflow/contrib/auth/backends/github_enterprise_auth.py +++ b/airflow/contrib/auth/backends/github_enterprise_auth.py @@ -122,8 +122,8 @@ class GHEAuthBackend(object): log.debug('Redirecting user to GHE login') return self.ghe_oauth.authorize(callback=url_for( 'ghe_oauth_callback', - _external=True, - next=request.args.get('next') or request.referrer or None)) + _external=True), + state=request.args.get('next') or request.referrer or None) def get_ghe_user_profile_info(self, ghe_token): resp = self.ghe_oauth.get(self.ghe_api_route('/user'), @@ -188,7 +188,7 @@ class GHEAuthBackend(object): def oauth_callback(self, session=None): log.debug('GHE OAuth callback called') - next_url = request.args.get('next') or url_for('admin.index') + next_url = request.args.get('state') or url_for('admin.index') resp = self.ghe_oauth.authorized_response() http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/eeca3839/airflow/contrib/auth/backends/google_auth.py ---------------------------------------------------------------------- diff --git a/airflow/contrib/auth/backends/google_auth.py b/airflow/contrib/auth/backends/google_auth.py index 65e0f3a..5ac75fd 100644 --- a/airflow/contrib/auth/backends/google_auth.py +++ b/airflow/contrib/auth/backends/google_auth.py @@ -109,8 +109,8 @@ class GoogleAuthBackend(object): return self.google_oauth.authorize(callback=url_for( 'google_oauth_callback', _external=True, - _scheme='https', - next=request.args.get('next') or request.referrer or None)) + _scheme='https'), + state=request.args.get('next') or request.referrer or None) def get_google_user_profile_info(self, google_token): resp = self.google_oauth.get('https://www.googleapis.com/oauth2/v1/userinfo', @@ -143,7 +143,7 @@ class GoogleAuthBackend(object): def oauth_callback(self, session=None): log.debug('Google OAuth callback called') - next_url = request.args.get('next') or url_for('admin.index') + next_url = request.args.get('state') or url_for('admin.index') resp = self.google_oauth.authorized_response()
