Allow wildcards in certain redirect URLs to include all path segments

FusionAuth / fusionauth-issues

FusionAuth issue submission project

https://fusionauth.io

90 stars 12 forks source link

Allow wildcards in certain redirect URLs to include all path segments #2783

Closed LucasPMorris closed 2 weeks ago

LucasPMorris commented 2 weeks ago

Allow wildcard in some redirects to include all path segments

Problem

When specifying a redirect URL (such as the Logout URL) with a wildcard it will not allow additional path segments after the wildcard. For example:

Specific URL: myappurl.com/logout/*

The following URL's will work:

myappurl.com/logout/link1
myappurl.com/logout/link2
myappurl.com/logout/whatever

These URL's will not work:

myappurl.com/logout/link1/detail1
myappurl.com/logout/link1/detail2

Solution

Allow additional segments after a URL wildcard to be allowed also.

robotdan commented 2 weeks ago

This is working as designed. There are several security concerns with making wild cards behave the way you suggest.

If a customer needs myappurl.com/logout/link1/detail1 to be a valid Logout URL, they need to add myappurl.com/logout/link1/detail* as an authorized redirect.

I understand this may not be ideal in some cases, but the intended design is that a * can only account for a single path segment. It cannot account for more than 1 path segment.