I'm making oauth with Zendesk and I need to add redirect urls to api client on Zendesk. What I want to do is to accept all urls that starts with example.com/something/. For example:
Is it possible to do and if yes how?
Nikola,
It is not possible to have dynamic redirect URLs. Security is the main reason for this. Is it possible for you to collect whatever data is being used in the path as a parameter?
It is not possible to have dynamic redirect URLs.
In our case, we've decided to save that url in cookie. Then we redirect our user from oauth to the same page ("Thank you for allowing access to our app"), and then redirect it to specific url saved in cookie.
Related
ive been doing a stephen grider course and he creates a google oauth client id with authorised js orgins as http://localhost:5000 and authorised redirect URI as http://localhost:5000/* and google accepts it. But when i try the same it throws me an error for redirect URI as Invalid redirect: Cannot contain a wildcard (*). And im not sure without this , further it will cause problems.Any way to solve this. Ive typed http://localhost:5000/ as a temp solution. Kindly suggest.
What ever course you are following must be very old I have been developing with Google for five years a wildcard redirect uri has not been allowed in that time.
Authorized redirect URIs
For use with requests from a web server. This is the path in your application that users are redirected to after they have authenticated with Google. The path will be appended with the authorization code for access. Must have a protocol. Cannot contain URL fragments or relative paths. Cannot be a public IP address.
Redirect uri must be a path to the file you wish to use to handle your authorization.
The redirect URL you configure to the API console must be an exact string match to the redirect URL you use in your app. So for example, http://localhost:5000 does not match http://localhost:5000/ or https:5000//localhost. Thus a wildcard will never work.
Furthermore, it's very unusual for a redirect URL to not have a path component. So something like http://localhost:5000/myoauth is more conventional. That's not to say that an empty path is impossible, simply that it's so unusual that it's more probable you have misunderstood OAuth somewhere.
However, note that you can configure several redirect URLs, so http://local:5000 and https://localhost:5000 and https://myliveservice.com/redirect
I want mywebsite.com/STUFF to redirect anotherwebsite.com/STUFF
So basically, I want a certain part of the URL I type ("STUFF") to be inputted into the redirected URL. Is this possible?
P.S.: Using Apache
I am trying to configure a LinkedIn application for a multi tenant site. I will have 20+ tenants using the same application and the number is going to increase every time.
As per Linkedin API documentation (https://developer.linkedin.com/docs/oauth2) we need to ensure following points
We strongly recommend using HTTPS whenever possible
URLs must be
absolute (e.g. "https://example.com/auth/callback", not
"/auth/callback")
URL arguments are ignored (i.e.
https://example.com/?id=1 is the same as https://example.com/)
URLs
cannot include #'s (i.e.
"https://example.com/auth/callback#linkedin" is invalid)
Can i configure redirect url as https://*.mysite.com/auth/linkedin/callback instead of specifying url of each tenant separately.
You cannot do a subdomain based wild card mapping as the IP should know the RP.
You can change the logic after you get the authorization callback, so you set the cookie and then you will have to redirect the user back to the tenant URL instead of the base URL.
Anyway, after successful authorization, you will be redirecting the user to an action, just figure out the subdomaina and the construct the URL and do the redirection
HTH
EDIT
Since the use of the URL or other approaches seem to be a hack, can you please try to have a facade like application (or Gateway like one) that has a URL that is registered in linkedin and then on receiving the response, it can use a state or other factor to redirect to the tenant URL. This can use a 302 and it will be invisible unless the user is on a very slow network. This approach does not require any hack like approach.
Here state can be a function that takes a tenant info and generates a dynamic hash that is stored for tracking and redirection.
I found this link
Best way in asp.net to force https for an entire site? and it redirects the whole site to https.
I only want to use https for the pages need to be authorized (usually with [Authorization] attribute) - e.g. account management and some other pages, plus login page. And don't use https for these pages don't need to be authorized.
Don't.
Your authentication cookie will be included with every request whether you need it or not. This means every request you serve over HTTP instead of HTTPS is vulnerable to session hijacking.
My application has a userspace which used to be accessed by a url like domain.com/~username, but I am in the process of converting that to using subdomains instead (username.domain.com). However, I am running into an issue that I'm hoping someone might have an idea of how to get around.
Currently, visitors to a user's site get a cookie of the form user<id>_authentication (where <id> is the user ID of the site they're visiting), which is set to have the domain www.domain.com. However, now that I'm switching to subdomains, I want to find those cookies and transfer them to a new cookie called authentication per subdomain, using the subdomain as the cookie domain. However, the rails cookies array does not find the main domain cookies.
I know that if the old cookies were using .domain.com as the domain instead, they'd apply to the subdomain and would be present in cookies, but these cookies are already existing, and I'm trying to make the change as seamless for a user as possible -- so if they had an authentication cookie already for a site, I want them to not have to reauthenticate if at all possible.
Is there any way I can get the cookies from the main domain or does anyone have another suggestion of how I can transfer the cookies?
Update: Sorry, I didn't make it clear before, the cookie is only set if the visitor actively authenticates themselves by submitting a form on the user's site.
If you change the cookie domain to be more permissive (applying to more sub domains) you have no way to read the old, more restricted cookies except from the top level domain that used to work.
You will have to read the cookie, authenticate, and then write a new more permissive cookie before the cookie can be read by the subdomain.
You can roll out your migration logic in advance of the feature and hope you get most people. The rest will have to re-authenticate manually.
Personally I think they should have to re-authenticate.. it will only happen once, then they'll have the new ".domain.com" cookie.
But... One way to achieve this would be to check for the new cookie and when failing to find it, redirect to a new page on the main domain, providing the return url.
In that new page, check for the old style cookie, set the new style cookie, and redirect to the original url. if they don't have the old style cookie, redirect to the login area.
hope this helps.