As part of the OAuth2 authorization code flow keyconjurer conducts to retrieve an access token for the user, keyconjurer currently listens on the address 0.0.0.0:57468 for inbound HTTP requests.
As per RFC 8252, IdP MUST allow for ephemeral port support:
An example redirect using the IPv6 loopback interface with a randomly
assigned port:
The authorization server MUST allow any port to be specified at the
time of the request for loopback IP redirect URIs, to accommodate
clients that obtain an available ephemeral port from the operating
system at the time of the request.
Unfortunately, Okta does not support this; It is not possible to specify any port using a wildcard; all ports must be explicitly specified in the OAuth2 client configuration.
The problem
At Riot, we have some users who are using Windows in particular that are finding that Windows is assigning the port 57468 to other processes. It is possible that Windows could assign that port number as we are not making any reservations or modifications to the Windows registry - Doing so would likely involve using an installer or a great deal of Windows-specific code which there isn't the appetite to author right now; if we were to take that step it would be easier to simply make a custom URL scheme and bypass ports entirely (similar to spotify://).
This PR attempts to resolve this by allowing KeyConjurer to try a number of different ports (which each must be explicitly passlisted by the IdP) before giving up and reporting an error to the user.
Context
As part of the OAuth2 authorization code flow keyconjurer conducts to retrieve an access token for the user, keyconjurer currently listens on the address
0.0.0.0:57468for inbound HTTP requests.As per RFC 8252, IdP MUST allow for ephemeral port support:
Unfortunately, Okta does not support this; It is not possible to specify any port using a wildcard; all ports must be explicitly specified in the OAuth2 client configuration.
The problem
At Riot, we have some users who are using Windows in particular that are finding that Windows is assigning the port
57468to other processes. It is possible that Windows could assign that port number as we are not making any reservations or modifications to the Windows registry - Doing so would likely involve using an installer or a great deal of Windows-specific code which there isn't the appetite to author right now; if we were to take that step it would be easier to simply make a custom URL scheme and bypass ports entirely (similar tospotify://).This PR attempts to resolve this by allowing KeyConjurer to try a number of different ports (which each must be explicitly passlisted by the IdP) before giving up and reporting an error to the user.