Announcement Announcement Module
Collapse
No announcement yet.
Multiple registered redirect URIs Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Multiple registered redirect URIs

    Hi,

    OAuth2 specification (v2-23) seems to say that multiple redirect URIs can be pre-registered with the provider.

    If multiple redirection URIs have been registered, if only part of
    the redirection URI has been registered, or if no redirection URI has
    been registered, the client MUST include a redirection URI with the
    authorization request using the "redirect_uri" request parameter.

    When a redirection URI is included in an authorization request, the
    authorization server MUST compare and match the value received
    against at least one of the registered redirection URIs (or URI
    components) as defined in [RFC3986] section 6, if any redirection
    URIs were registered. If the client registration included the full
    redirection URI, the authorization server MUST compare the two URIs
    using simple string comparison as defined in [RFC3986] section 6.2.1.
    Is this possible with Spring OAuth?

    (It seems it only possible to pre-register one redirect URI, because the ClientDetails interface only has a property for one webServerRedirectUri.)

    Best regards,

    Will

  • #2
    Correct. Why do you need multiple registered redirects?

    Comment


    • #3
      Hi Dave,

      I am working on ORCID.

      Some of the potential users of the ORCID REST API are publishers. In some cases they have several hundred or even thousands of different journals that will interact with the ORCID API, which will be using Spring Security OAuth.

      They have asked if they can use one client ID for all of their journals, because that will be easier for them to manage. However, they want users to be redirected back to the correct journal after they have authorized access to their data.

      So, we'd like to allow them to register a different redirect URI for each journal. They would pass the redirect URI for the journal when they send the user to ORCID for authorization, and we would like to validate that against a list of allowed values for the client.

      Best regards,

      Will

      Comment


      • #4
        I see. I guess your client could register a single callback and then bounce from there to the selected journal quite easily (that's quite normal I think), so this doesn't seem like a showstopper. But we can think about multi-valued redirects for the framework as well. It doesn't have a high priority for me right now, but feel free to open a JIRA for tracking the requirement. If you want to contribute some code read the README and fill in the contributor's agreement.

        Comment


        • #5
          Thanks, Dave.

          Understood.

          Comment

          Working...
          X