Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG: OAuth2 Authorization Code Flow fails for intermediate redirects with an auth code #2147

Open
2 tasks done
dakshin-k opened this issue Apr 21, 2024 · 0 comments · May be fixed by #2148
Open
2 tasks done

BUG: OAuth2 Authorization Code Flow fails for intermediate redirects with an auth code #2147

dakshin-k opened this issue Apr 21, 2024 · 0 comments · May be fixed by #2148
Labels
bug Something isn't working

Comments

@dakshin-k
Copy link

I have checked the following:

  • I use the newest version of bruno.
  • I've searched existing issues and found nothing related to my issue.

Describe the bug

On similar lines as #1778, the authorization flow fails when there is a multi-step authorization, and one of the redirect URLs also contains code as a query parameter.

My example scenario where this happened:

Auth server: Keycloak using OIDC, backed by Google accounts as an ID provider
On successful auth, Keycloak sends an intermediate redirect to the following URL (Note the code= at the end):

https://<keycloak URL>/realms/<realm>/broker/google/endpoint?state=<state>&code=<code>&...

Since this URL has code as a query param but the URL is not the expected callback URL, Bruno throws the following error:

Error occurred in handler for 'send-collection-oauth2-request': Error: Invalid Callback Url: {url}
    at onWindowRedirect (/Users/dakshin/projects/personal/bruno/packages/bruno-electron/src/ipc/network/authorize-user-in-window.js:37:18)
    at EventEmitter.willRedirectListener (/Users/dakshin/projects/personal/bruno/packages/bruno-electron/src/ipc/network/authorize-user-in-window.js:78:7)
    at EventEmitter.emit (node:events:527:28)

.bru file to reproduce the bug

No response

Screenshots/Live demo link

image
@dakshin-k dakshin-k added the bug Something isn't working label Apr 21, 2024
dakshin-k added a commit to dakshin-k/bruno that referenced this issue Apr 21, 2024
@dakshin-k
Check OAuth2 redirect URL for matching callback URL and authorization…
6cfcfb3 
… code in query parameters

In an Authorization code flow, there may be multiple intermediate redirects before reaching the final one which matches the callback URL and has a code in the query params.

We should wait until we see a redirect URI that matches both the conditions. This fixes the issue where, when a redirect contains `code` as a query param but is not the final one (i.e., is not to the callback URL) an error is thrown saying the callback URL is invalid.

Fixes usebruno#2147
@dakshin-k dakshin-k linked a pull request Apr 21, 2024 that will close this issue
Open
5 tasks
dakshin-k added a commit to dakshin-k/bruno that referenced this issue Apr 21, 2024
@dakshin-k
Check OAuth2 redirect URL for matching callback URL and authorization…
24753e8 
… code in query parameters

In an Authorization code flow, there may be multiple intermediate redirects before reaching the final one which matches the callback URL and has a code in the query params.

We should wait until we see a redirect URI that matches both the conditions. This fixes the issue where, when a redirect contains `code` as a query param but is not the final one (i.e., is not to the callback URL) an error is thrown saying the callback URL is invalid.

Fixes usebruno#2147
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
1 participant
@dakshin-k