https redirect url #32
Comments
|
Hi @sckott We're following the RFC 6749 recommendations for redirect endpoints confidentiality. The standard says that the redirection endpoint SHOULD require the use of TLS and if not, the authorization server should emit a warning to the user, however our security policies are a bit more strict and we're enforcing this as a MUST. Any absolute url as defined in RFC 3986 section 4.3 should do, as long as the scheme is
TL;DR: we're sending sensitive info (an authorization code) through this redirect endpoint. On unsecured networks, such as public WiFi, anyone can read that code unless the redirect endpoint is secured. I hope this helps. |
|
thanks for the quick response @cezar-berea - Using this from R, and we typically use http://localhost:1410 as a redirect URL when doing OAuth - If oauth flow is being done locally on someone's machine (not on a public website), would a |
|
When working locally it's safe to use |
|
okay, thanks, seems hard to imagine the rfc wouldn't allow for localhost workflows, but i imagine that is an edge case |
|
Thanks for looking into this @cezar-berea - AFAICT there's no way for our R client for figshare https://github.com/ropensci/rfigshare to work unless we can do a |
|
Any update on adding exception for localhost? This would be very helpful for local development against the API. |
|
Is there any update on this? I'm currently unable to develop locally due to the https requirement for localhost. |
Curious why you require a secure url for redirect? What are examples of acceptable redirect url's ?
The text was updated successfully, but these errors were encountered: