liweitianux opened a new pull request, #7690: URL: https://github.com/apache/apisix/pull/7690
### Description Previously the `redirect_uri` was set to `ngx.var.request_uri` if not configured. However, it caused the underlying `lua-resty-openidc` module to raise this error: ``` request to the redirect_uri path but there's no session state found ``` because `lua-resty-openidc` would think it was the redirection response from OP when the `redirect_uri` equals `ngx.var.request_uri`. Although the OAuth 2.0 Security Best Current Practice [1] recommends that the `redirect_uri` should be explicitly specified to prevent malicious redirection attacks, it would also be handy for APISIX to properly determine a default one if `redirect_uri` not given. Therefore, append the `.apisix/redirect` suffix to the current request URI to determine the default `redirect_uri`. It makes `lua-resty-openidc` happy and it's almost unlikely to conflict with user's URIs. Also note that the OP should be properly configured to accept such auto-determined redirect URIs. Update the documentation accordingly. Fix #2426. [1] https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/ ### Checklist - [x] I have explained the need for this PR and the problem it solves - [x] I have explained the changes or the new features added to this PR - [ ] I have added tests corresponding to this change - [x] I have updated the documentation to reflect this change - [ ] I have verified that this change is backward compatible (If not, please discuss on the [APISIX mailing list](https://github.com/apache/apisix/tree/master#community) first) <!-- Note 1. Mark the PR as draft until it's ready to be reviewed. 2. Always add/update tests for any changes unless you have a good reason. 3. Always update the documentation to reflect the changes made in the PR. 4. Make a new commit to resolve conversations instead of `push -f`. 5. To resolve merge conflicts, merge master instead of rebasing. 6. Use "request review" to notify the reviewer after making changes. 7. Only a reviewer can mark a conversation as resolved. --> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
