Comments (6)
Firstyear
commented on June 11, 2024
1
@0xC0ncord We're going to make this a bool on public clients that allows a localhost redirect as an option, port isn't going to be checked. The reason is that we enforce PKCE which protects the exchange.
from kanidm.
Firstyear
commented on June 11, 2024
Given it's redir to localhost, this implies it also has to be a public client does it not? If that's the case, we could make it so public clients have an "allow redirects to localhost" bool where we can special case and check this. Public clients enforce PKCE is required too btw.
from kanidm.
yaleman
commented on June 11, 2024
Yep, I think that's the case - but we should require registration of the URL 'cause I don't want arbitrary localhost:* to be allowed
from kanidm.
Firstyear
commented on June 11, 2024
The problem is applications may dynamically select the localhost port - this is also what PKCE exists to protect against if the token is sent to the wrong localhost application.
from kanidm.
yaleman
commented on June 11, 2024
Bleeeeehhhh those applications need to get in the bin 😄 Have we seen any examples of them yet? Vault and netbird use static ports.
from kanidm.
0xC0ncord
commented on June 11, 2024
Have we seen any examples of them yet? Vault and netbird use static ports.
kubelogin's port is configurable (by manually specifying the listen address) but not dynamic.
from kanidm.
Related Issues (20)
- Can't sign out properly HOT 9
- Allow bindaddress to be a unix socket HOT 1
- Option to disable self managing displayname, name, and legal name
- forward_auth support in kanidm HOT 12
- oauth2 authorization code can be exchanged for access token multiple times HOT 2
- OAuth2 Debugging Tools
- migrate_domain_6_to_7: MG0005GidConstraintsNotMet HOT 2
- Issue upgrading from v1.1.0-beta.13 (1.1.0~beta13~git7.1fb34a9) -> 1.2.1 HOT 3
- The "Install" link on the homepage (top) is broken HOT 1
- Support OIDC client_ids of OwnCloud Desktop, Android, iOS HOT 14
- Support the change-password URI spec with a redirect HOT 1
- Restrict client login by IP HOT 6
- Release 1.2.2 didn't update Cargo.lock HOT 2
- Change to Kanidm installation guide for people using replication HOT 1
- Unable to authenticate using replicated kanidm server HOT 4
- Allow alternate OIDC URL schema
- CLI command to change client displaynames
- Support multiple signed-in accounts HOT 1
- Posix UUIDs are larger than `utmp`/`wtmp` allows
- Using tracing instrumentation to measure call timings HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kanidm.