[Feature request] oauth2-redirect outside local development

[Christian-Schultz]

The documentation is sufficient for building an API that runs in a local development environment - but I suppose that setting oauth2-redirect to a real domain instead of localhost is a common use case outside local development. Suppose the API is hosted somewhere (kubernetes, Azure Container Instances, Virtual Machine) - how should the oauth2-redirect URI now be changed - and what are some options on how to treat TLS in such a setting (as Azure App Registration will only allow https links as redirects). Maybe a section on production maturing would be helpful or maybe simply just clarifying that oauth2-redirect should be changed in a realistic production/TLS setting.

[JonasKs]

Hi! Thanks for the feedback. 😊

I agree, we could definitely add some options here. @h3rmanj actually have a section about this here, which we could take inspiration from. Would you please look over that and see if that is sufficient information, or anything else you'd like to add?

On the second part about TLS and hosting; I'd generally want to steer away from talking too much about those subject, as it will vary so much between the services. At some point I think having too much documentation will just make it be skimmed instead of followed, so it's a fine balance.

• At Intility TLS is managed by K8s admins, and we just "check a box".
• In Azure, I have never hosted anything behind a custom URL, so I don't even know.
• In Heroku you get a TLS certificate to a custom domain through adding a CNAME record which points to their custom URL. E.g. api.mydomain.com points to some-random-long-string.herokudns.com.
• In AWS you verify a domain ownership through Certificate Manager, where they tell you to create a CNAME from your domain to theirs. (For instance they'd ask you to point some-random-long-string.mydomain.com to some-random-long-string.acm-validations.aws.)

[Christian-Schultz]

I think that section covers most of the details - so I guess most of it is already written. I'll see if I can do a PR over easter copy-pasting this and modifying it where necessary.

I agree with your comment on TLS, it is probably too much detail. Maybe it's a topic for a future Medium post.

[JonasKs]

Awesome! Let me know if you have any issues, I'm normally pretty quick to respond.

As a side note, I'm not sure if we need a redirect URL on on the backend app registration at all, since we're not hosting a MVC site. I'll see if it is possible to even skip that step, and only have a redirect URL for the OpenAPI app reg and whatever frontend app registrations one might have.

I agree with your comment on TLS, it is probably too much detail. Maybe it's a topic for a future Medium post.

True! We actually have our own blog over at engineering@, I've written a blog about Oauth2 there.

As for the topic, pure frontends (such as your own react frontend) can be hosted for free on GitHub pages behind a custom domain with TLS. It is also easy to set up, all you do is to point a domain name to GitHub as told in the settings for the repository, and it'll create a file called CNAME for you. We do this for the templates repository I linked above, under the gh-pages branch.

I'll think about creating a blog post with examples for the most common providers, but I won't promise anything. 😁 I have a few other things I want to write about first.

[h3rmanj]

As a side note, I'm not sure if we need a redirect URL on on the backend app registration at all, since we're not hosting a MVC site. I'll see if it is possible to even skip that step, and only have a redirect URL for the OpenAPI app reg and whatever frontend app registrations one might have.

Very much possible, I have omitted the redirect URL in the template setup guide for .NET already.

[JonasKs]

You're always one step ahead, aren't you! Let's reflect that over here. 😁

[Christian-Schultz]

Perfect, I will see what I can do. I have an ambition of writing a blog on how to deploy a containerized fastapi app as an Azure App Service - I might as well use this example as the base for that. That comes with free automatic SSL as well, so it might serve as a good example.

[JonasKs]

Hi! Do you still want to fix this? If not I'll look into it this week/weekend. 😊

[Christian-Schultz]

It's still on my todo - unfortunately I've been very busy elsewhere. I'll see if I can get it done before the weekend, otherwise feel free :)

[JonasKs]

No rush, just wanted to follow up. I’ll leave it then 😊

[JonasKs]

Closing this for inactivity.

Very much possible, I have omitted the redirect URL in the template setup guide for .NET already.

I'll fix this in the v5 release.