OAuth 2.0 App workflow is not working when Redirect URI consist of IP address

New post

Comments

5 comments

  • Rui Barbosa

    Hi Siddharth,

    I'm wondering how are you generating a valid certificate for https://10.0.16.0 ;-) ?

    Any way the official version is that you should be using a valid https:// URI.

    The application configuration will allow you 2 exceptions to use http://, localhost and 127.0.0.1

    For example:

    However I did proceed in testing this use case.

    I have a linux box running at 10.1.1.70, I've generated a self sign certificate, and spin up a simple HTTP server using the self signed server.

    Sample python code as example:

           web_server = HTTPServer(
                (config.callback_hostname, config.callback_port), CallbackServer
            )
            web_server.socket = ssl.wrap_socket(
                web_server.socket,
                # keyfile=config.ssl_keyfile,
                certfile=config.ssl_certfile,
                server_side=True,
            )

    The initial request goes through:

    The authorization URL generate was:

    https://account.box.com/api/oauth2/authorize
    ?state=box_csrf_token_X...Q
    &response_type=code
    &client_id=0...c
    &redirect_uri=https%3A%2F%2F10.1.1.70%3A5000%2Fcallback

    And once I login, it's also ok:

    From this point on, of course the browser goes all crazy, and can't verify the authenticity, however, when I as a user do go through with it, the request reaches the server:

    So I wasn't able to replicate your use case.

    I would like to understand in which of these steps are you getting the error?

     

     

    0
    Comment actions Permalink
  • Siddharth Fultariya
    Hi Rui,
    Thank you for your quick response.
     
    The Redirect URI (https://10.0.16.0) I mentioned in the previous comment does not correspond to any real machine and it is just mentioned as an example.
     
    Please find the below analysis we have with various values of Redirect URI.
     
     



     
    For Case 1 we are getting 403 Error. However, for Cases 2, 3 and 4 we are able to see the HTML page asking for user consent as shown in the respective images.

    From the above analysis, it seems that whenever we have Redirect URL having an IP address, the exact value of the Redirect URI will not work and only the encoded version would work. However, this is not the case for the Redirect URI having a domain name and it works without encoding the Redirect URI value.

    This is causing the issue in our integration as previously the Redirect URI with IP address was working without the need for URL encoding.

    Is this a behavioral change in using the Redirect URI in OAuth 2.0?
    Please provide your insight for the same.
    Thank you!
    0
    Comment actions Permalink
  • Rui Barbosa

    I see what you mean, and I was able to replicate it.

    I'm not aware of changes in this area, so I'll submit the issue.

    It does make sense to always use URL encoding in this situation, so most likely this change was intentional.

    Even in the SDK's there is a function to generate the authorization URL and it does encode the redirect URI.

    So in the mean time my recommendation would be to use URL encoding.

    Best regards

    0
    Comment actions Permalink
  • Siddharth Fultariya (C)

    Thanks, Rui.

    Since this was working previously and is not working now. Is this a change made during any release? Can you please point us to the change logs where this change is mentioned?

    0
    Comment actions Permalink
  • Rui Barbosa

    Yes, that is what I'm trying to find out.

    I'm not sure if this was a bug fix or it simply did not make it to the change log.

    0
    Comment actions Permalink

Please sign in to leave a comment.