Allow wildcard redirect URLs

[johanbrook]

We have a case where the redirect URLs are dynamic. I.e. something like http://*.ourdomain.com. It's something we don't have any control over. It's for our own apps, so the clients are trusted.

Since there doesn't seem to be a way for auth code flow to not use redirect URLs from the model, I'm wondering over if a wildcard solution is the way to go.

Instead of doing string matching (in here: https://github.com/thomseddon/node-oauth2-server/blob/master/lib/authCodeGrant.js#L107-L126), the code should match agains wildcards with * characters. In that case, we can store redirect URLs in the model, just like it is now, but the comparison would change.

[mjsalinger]

I don't think this is a change we would want to do - as wildcard redirect URIs are a violation of the OAuth2 spec. The absolute redirect uri is an important security mechanism to prevent phishing attacks.

https://tools.ietf.org/html/rfc6749#section-3.1.2

[johanbrook]

Gotcha, I see. I thought I had seen wildcard redirect URIs from other API vendors, but might've been mistaken. Would it be a security issue even if only the subdomain is a wildcard?

[mjsalinger]

There are a few API providers that do not adhere to the spec and do allow it, even though it poses a security risk, but the vast majority don't, and the spec is pretty clear on it.

Subdomains wouldn't be as vulnerable as open URLs but they still are somewhat vulnerable and would require some extremely defensive programming.

What's the use case you're trying to support?

[johanbrook]

I see what you mean. Then it's best if an OAuth2 package isn't allowing bad practices :)

Our use case was with working with a Chrome app, which exposes some APIs for working with OAuth. They would provide a callback endpoint, such as https://[randomstring].chromeapp.com for OAuth providers to redirect to. Before we figured out that randomstring was persistent and unique to our app, we thought we needed to allow the whole *.chromeapp.com domain, which now clearly is a stupid idea.

Feel free to close this if you want to.

[mjsalinger]

Thanks, no problem. Good luck with your app.

[bboe]

I don't think this is a change we would want to do - as wildcard redirect URIs are a violation of the OAuth2 spec. The absolute redirect uri is an important security mechanism to prevent phishing attacks.

https://tools.ietf.org/html/rfc6749#section-3.1.2

I don't have any skin in the game in this project, however I want to point out that RFC3986’s definition of an absolute URI allows for * to be part of the absolute URI. Here are the relevant parts of the grammar that allow for it:

   absolute-URI  = scheme ":" hier-part [ "?" query ]
   hier-part     = "//" authority path-abempty
                 / path-absolute
                 / path-rootless
                 / path-empty
   authority     = [ userinfo "@" ] host [ ":" port ]
   host        = IP-literal / IPv4address / reg-name
   reg-name    = *( unreserved / pct-encoded / sub-delims )
   sub-delims  = "!" / "$" / "&" / "'" / "(" / ")"
                  / "*" / "+" / "," / ";" / "="

There is a comment in RFC-6749 that the most common name registry mechanism is DNS, but to be pedantic, there is no comment in the OAuth 2.0 spec that URIs using a hostname (instead of IP address) must be resolvable via DNS.

I completely agree wildcards in the hostname can be problematic, e.g., *.com. However something like *.mydomain.com when a user owns mydomain and all its subdomains seems reasonable assuming * in this case only represents a single subdomain (i.e., cannot include .). The rules Auth0 uses seem to be sensible: https://auth0.com/docs/applications/wildcards-for-subdomains

[NilsBaumgartner1994]

Push

[NilsBaumgartner1994]

https://github.com/panva/node-oidc-provider/blob/main/recipes/redirect_uri_wildcards.md

[james-d-elliott]

Regarding the * in RFC3986 see Section 6 which governs comparing strings. There is a complete lack of guidance on how to compare a * so short of some guidance it would be unwise to assume the meaning of the character.

The * could also be assumed to be a regex interpreted character for example.