Wildcard Redirect or Post Logout Redirect Uris

Question

Wildcard Redirect or Post Logout Redirect Uris

kdudley21 opened this issue 4 months ago · comments

kdudley21 commented 4 months ago

Confirm you've already contributed to this project or that you sponsor it

I confirm I'm a sponsor or a contributor

Version

5.1.0

Question

Good morning !

I know this may come as an odd questions but does openiddict support wildcard Redirect or Post Logout Redirect Uris ?
This way I could set up a client and regardless of the passed redirect or postlogout redirect uri as long as it matched the wildcard pattern it would honor it.

As always thanks a ton for your help!

Kévin Chalet · Answer 1 · Wed Apr 10 2024 23:37:05 GMT+0800 (China Standard Time)

Hey @kdudley21 😃

Support is reserved to sponsors and contributors who still have a valid subscription active. For more information on how to sponsor the project on GitHub, visit https://github.com/sponsors/kevinchalet.

Hope to see you back on board!

kdudley21 · Answer 2 · Wed Apr 10 2024 23:42:04 GMT+0800 (China Standard Time)

Hey there ! Sorry about that I didnt realize it had been so long since I contributed ! I went ahead and made a contribution so hopefully that will be my account back in good standings :) . Do I need to open another issue or is it possibly to re-open the question I posted ? Have a great day !

…

On Wed, Apr 10, 2024 at 11:37 AM Kévin Chalet ***@***.***> wrote: Closed #310 <#310> as completed. — Reply to this email directly, view it on GitHub <#310 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABTK6C3YDF7D4BW34E3ZVUDY4VMDPAVCNFSM6AAAAABGAVHL5KVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJSGQZDIMZSGU3TSNQ> . You are receiving this because you were mentioned.Message ID: ***@***.*** com>

Kévin Chalet · Answer 3 · Thu Apr 11 2024 00:03:19 GMT+0800 (China Standard Time)

Sorry about that I didnt realize it had been so long since I contributed !

No worries 😄
Thanks for re-sponsoring the project!

I know this may come as an odd questions but does openiddict support wildcard Redirect or Post Logout Redirect Uris ?
This way I could set up a client and regardless of the passed redirect or postlogout redirect uri as long as it matched the wildcard pattern it would honor it.

It's not supported OOTB since it's generally regarded as a terrible practice that should really be avoided in almost all cases.
I'm sure there's a better option in your case. Could you tell me more about your scenario?

Note: if you're absolutely sure you NEED to support wildcard, you can customize the validation logic by overriding these methods:

https://github.com/openiddict/openiddict-core/blob/6ac8c2c53ef4008376b1b408d17efef13354a3b3/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs#L1491-L1562

https://github.com/openiddict/openiddict-core/blob/6ac8c2c53ef4008376b1b408d17efef13354a3b3/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs#L1419-L1489

... of course, I don't recommend it 😄

kdudley21 · Answer 4 · Thu Apr 11 2024 00:15:34 GMT+0800 (China Standard Time)

Thanks a ton ! I was thinking about it because if I have an application that is on multiple domains it would make it so I could use wildcards to match on part of the url instead of having to manage all of it. I definitely see your point though that it is a big security risk to enable that and its best practice to go ahead and manage the list to prevent any malicious behaviour that could exploit that. I dont think I will proceed with overriding the methods but If I did, is there a way that you know of to override just that method inside of my project inside of having to download and compile the existing repo ? (I'm pretty sure this isn't the case but I was hoping I could continue to keep the nuget package up to date while only overriding that one method) As always I truly appreciate your help !

…

On Wed, Apr 10, 2024 at 12:03 PM Kévin Chalet ***@***.***> wrote: Sorry about that I didnt realize it had been so long since I contributed ! No worries 😄 Thanks for re-sponsoring the project! I know this may come as an odd questions but does openiddict support wildcard Redirect or Post Logout Redirect Uris ? This way I could set up a client and regardless of the passed redirect or postlogout redirect uri as long as it matched the wildcard pattern it would honor it. It's not supported OOTB since it's generally regarded as a terrible practice that should really be avoided in almost all cases. I'm sure there's a better option in your case. Could you tell me more about your scenario? Note: if you're absolutely sure you NEED to support wildcard, you can customize the validation logic by overriding these methods: https://github.com/openiddict/openiddict-core/blob/6ac8c2c53ef4008376b1b408d17efef13354a3b3/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs#L1491-L1562 https://github.com/openiddict/openiddict-core/blob/6ac8c2c53ef4008376b1b408d17efef13354a3b3/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs#L1419-L1489 ... of course, I don't recommend it 😄 — Reply to this email directly, view it on GitHub <#310 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABTK6C4XBNP5R62KG47FIJDY4VPFZAVCNFSM6AAAAABGAVHL5KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANBXHEZTKMZVGE> . You are receiving this because you were mentioned.Message ID: ***@***.***>

Kévin Chalet · Answer 5 · Thu Apr 11 2024 01:52:38 GMT+0800 (China Standard Time)

there a way that you know of to override just that method inside of my project inside of having to download and compile the existing repo ?

Sure, for that, you'll need to subclass OpenIddictApplicationManager<TApplication> and override the methods I mentioned. Once it's done, simply call services.AddOpenIddict().AddCore().ReplaceApplicationManager<MyApplicationManager>() to replace the default application manager by your custom one 😃

I definitely see your point though that it is a big security risk to enable that and its best practice to go ahead and manage the list to prevent any malicious behaviour that could exploit that.

👍🏻

As always I truly appreciate your help !

My pleasure!

kdudley21 · Answer 6 · Thu Apr 11 2024 03:29:58 GMT+0800 (China Standard Time)

Thanks ! So I created a subclass public class CustomOpenIddictApplicationManager<TApplication> : OpenIddictApplicationManager<TApplication> where TApplication : class but when I add it after .AddCore its looking for a type <TApplication> at the ReplaceApplicationManager options.ReplaceApplicationManager<CustomOpenIddictApplicationManager<>>(); Is there a specific type I should pass in for TApplication ?

…

On Wed, Apr 10, 2024 at 1:52 PM Kévin Chalet ***@***.***> wrote: Reopened #310 <#310>. — Reply to this email directly, view it on GitHub <#310 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABTK6C6JELRI72XZL6OXTPTY4V37XAVCNFSM6AAAAABGAVHL5KVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJSGQZDMMJSGYYTANY> . You are receiving this because you were mentioned.Message ID: ***@***.*** com>

kdudley21 · Answer 7 · Thu Apr 11 2024 04:48:43 GMT+0800 (China Standard Time)

It looks like when i changed it to options.ReplaceApplicationManager(typeof(CustomOpenIddictApplicationManager<>)); It worked using the type. Thanks again for all your help !

…

On Wed, Apr 10, 2024 at 3:29 PM Kirk ***@***.***> wrote: Thanks ! So I created a subclass public class CustomOpenIddictApplicationManager<TApplication> : OpenIddictApplicationManager<TApplication> where TApplication : class but when I add it after .AddCore its looking for a type <TApplication> at the ReplaceApplicationManager options.ReplaceApplicationManager<CustomOpenIddictApplicationManager<>>(); Is there a specific type I should pass in for TApplication ? On Wed, Apr 10, 2024 at 1:52 PM Kévin Chalet ***@***.***> wrote: > Reopened #310 > <#310>. > > — > Reply to this email directly, view it on GitHub > <#310 (comment)>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/ABTK6C6JELRI72XZL6OXTPTY4V37XAVCNFSM6AAAAABGAVHL5KVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJSGQZDMMJSGYYTANY> > . > You are receiving this because you were mentioned.Message ID: > ***@***.*** > com> >

Kévin Chalet · Answer 8 · Thu Apr 11 2024 05:25:50 GMT+0800 (China Standard Time)

It worked using the type.

👍🏻

Alternatively, if you prefer using a specific entity, you can use a concrete TApplication argument.
E.g if you're using EF Core: MyApplicationManager : OpenIddictApplicationManager<OpenIddictEntityFrameworkCoreApplication>

kdudley21 · Answer 9 · Thu Apr 11 2024 06:18:29 GMT+0800 (China Standard Time)

Thanks! Is there a preferred way to do it or is it really whatever way you decide to do it doesn't matter because it'll work all the same

…

On Wed, Apr 10, 2024, 5:26 PM Kévin Chalet ***@***.***> wrote: It worked using the type. 👍🏻 Alternatively, if you prefer using a specific entity, you can use a concrete TApplication argument. E.g if you're using EF Core: MyApplicationManager : OpenIddictApplicationManager<OpenIddictEntityFrameworkCoreApplication> — Reply to this email directly, view it on GitHub <#310 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABTK6C6UVEHDBEV2TR4N3UDY4WU7JAVCNFSM6AAAAABGAVHL5KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANBYGQ3DCNBZG4> . You are receiving this because you were mentioned.Message ID: ***@***.***>

Kévin Chalet · Answer 10 · Thu Apr 11 2024 06:39:05 GMT+0800 (China Standard Time)

I personally prefer the open generics approach - i.e the approach you ended up with - as it's more flexible), but folks sometimes think it's a bit more complicated, so I generally suggest going with closed generics 😄

kdudley21 · Answer 11 · Thu Apr 11 2024 08:13:37 GMT+0800 (China Standard Time)

That makes me feel better ! Like I said I will probably stick with explicit redirect Uris but I love learning so it was great learning how to if i need to.

…

On Wed, Apr 10, 2024 at 6:39 PM Kévin Chalet ***@***.***> wrote: I personally prefer the open generics approach - i.e the approach you ended up with - as it's more flexible), but folks sometimes think it's a bit more complicated, so I generally suggest going with closed generics 😄 — Reply to this email directly, view it on GitHub <#310 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABTK6CZKLZB2SDYVNYIO7K3Y4W5R5AVCNFSM6AAAAABGAVHL5KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANBYGU2TANZYGA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

Kévin Chalet · Answer 12 · Thu Apr 11 2024 22:22:33 GMT+0800 (China Standard Time)

That makes me feel better ! Like I said I will probably stick with explicit redirect Uris but I love learning so it was great learning how to if i need to.

I love that attitude! ❤️ 👍🏻