Comments (6)
@0xC0ncord We're going to make this a bool on public clients that allows a localhost redirect as an option, port isn't going to be checked. The reason is that we enforce PKCE which protects the exchange.
from kanidm.
Given it's redir to localhost, this implies it also has to be a public client does it not? If that's the case, we could make it so public clients have an "allow redirects to localhost" bool where we can special case and check this. Public clients enforce PKCE is required too btw.
from kanidm.
Yep, I think that's the case - but we should require registration of the URL 'cause I don't want arbitrary localhost:*
to be allowed
from kanidm.
The problem is applications may dynamically select the localhost port - this is also what PKCE exists to protect against if the token is sent to the wrong localhost application.
from kanidm.
Bleeeeehhhh those applications need to get in the bin 😄 Have we seen any examples of them yet? Vault and netbird use static ports.
from kanidm.
Have we seen any examples of them yet? Vault and netbird use static ports.
kubelogin's port is configurable (by manually specifying the listen address) but not dynamic.
from kanidm.
Related Issues (20)
- Can't sign out properly HOT 9
- Allow bindaddress to be a unix socket HOT 1
- Option to disable self managing displayname, name, and legal name
- forward_auth support in kanidm HOT 12
- oauth2 authorization code can be exchanged for access token multiple times HOT 2
- OAuth2 Debugging Tools
- migrate_domain_6_to_7: MG0005GidConstraintsNotMet HOT 2
- Issue upgrading from v1.1.0-beta.13 (1.1.0~beta13~git7.1fb34a9) -> 1.2.1 HOT 3
- The "Install" link on the homepage (top) is broken HOT 1
- Support OIDC client_ids of OwnCloud Desktop, Android, iOS HOT 14
- Support the change-password URI spec with a redirect HOT 1
- Restrict client login by IP HOT 6
- Release 1.2.2 didn't update Cargo.lock HOT 2
- Change to Kanidm installation guide for people using replication HOT 1
- Unable to authenticate using replicated kanidm server HOT 4
- Allow alternate OIDC URL schema
- CLI command to change client displaynames
- Support multiple signed-in accounts HOT 1
- Posix UUIDs are larger than `utmp`/`wtmp` allows
- Using tracing instrumentation to measure call timings HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kanidm.