OAuth2 redirect_uri is always invalid when it includes fragments #3217
Description
I did this
Updated my kanidm instance to 1.4 from 1.3, and enable-strict-redirect-url on my netbird RS
I expected the following
After adding the callback URL (with `kanidm system oauth2 add-redirect-url netbird 'vpn.example.com/#callback', value taken from the kanidm logs after failed attempt with strict redirect enabled), I would be able to log in as usual
This happened instead
I got an invalid_origin error:
Nov 16 21:32:05 aer kanidmd[20870]: 6a177cf0-dd89-41d3-bf49-cb0aa1d463c9 INFO ┝━ handle_oauth2_authorise [ 1.02ms | 9.77% / 74.58% ]
Nov 16 21:32:05 aer kanidmd[20870]: 6a177cf0-dd89-41d3-bf49-cb0aa1d463c9 INFO │ ┝━ validate_client_auth_info_to_ident [ 890µs | 64.81% ]
Nov 16 21:32:05 aer kanidmd[20870]: 6a177cf0-dd89-41d3-bf49-cb0aa1d463c9 INFO │ │ ┕━ i [info]: A valid limited session value exists for this token | event_tag_id: 10
Nov 16 21:32:05 aer kanidmd[20870]: 6a177cf0-dd89-41d3-bf49-cb0aa1d463c9 WARN │ ┕━ 🚧 [warn]: Invalid OAuth2 redirect_uri (must be an exact match to a redirect-url) - got https://vpn.example.com/#callback
Nov 16 21:32:05 aer kanidmd[20870]: 6a177cf0-dd89-41d3-bf49-cb0aa1d463c9 ERROR ┕━ 🚨 [error]: Unable to authorise - Error ID: 6a177cf0-dd89-41d3-bf49-cb0aa1d463c9 error: invalid_origin
Kanidm version details
- Output of
kanidm(d) version:kanidmd 1.4.2 - Are you running it in a container? If so, which image/tag?:
- If not a container, how'd you install it: NixOS module
- Operating System / Version (On Unix please post the output of
uname -a): Nixpkgs rev dc460ec76cbff0e66e269457d7b728432263166c,Linux aer 6.6.60 #1-NixOS SMP PREEMPT_DYNAMIC Fri Nov 8 15:28:28 UTC 2024 x86_64 GNU/Linux
Any other comments
The upstream documentation doesn't seem to provide much information on callback URLs for the dashboard, but I suspect it might be due to the use of URL fragments (https://example.com/#url-fragment). The log states:
┕━ 🚧 [warn]: Invalid OAuth2 redirect_uri (must be an exact match to a redirect-url) - got https://vpn.example.com/#callback
While kanidm sysetm oauth2 get netbird states
oauth2_rs_origin: https://vpn.example.com/#callback
oauth2_rs_origin_landing: https://vpn.example.com/
...where the oauth2_rs_origin (which is the redirect-url set with add-redirect-url) is an exact match to what the log says it got for the redirect-url. All of my other resource servers (pgadmin, jellyfin-sso etc) are working just fine (using the same steps - enable strict checking, attempt to log in, check the callback url, and add it with add-redirect-url) both before and after upgrading/enabling strict url checking.