Feature: Make redirect_uri optional

jebrosen / rocket_oauth2

OAuth2 for Rocket applications

Apache License 2.0

67 stars 26 forks source link

Feature: Make redirect_uri optional #10

Closed rethab closed 4 years ago

rethab commented 4 years ago

Hi, as far as I can see the redirect_uri seems to be required in any case: https://github.com/jebrosen/rocket_oauth2/blob/master/src/config.rs#L13

Now in the scenario I'm using this library, which is only the token exchange, in a server-to-server scenario, providing the redirect_uri is not required (also see github's docs: https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/#parameters-1).

It would be nice if this library allowed me to omit this parameter.

jebrosen commented 4 years ago

It should be possible to not require it in rocket_oauth2; the spec and some providers allow for alternative registration of the redirect URI.

But I'm not sure it would actually help you: the way this library is currently structured, a token exchange can only happen in response to the callback handler (the destination of the redirect_uri). Can you explain your workflow in more detail?

rethab commented 4 years ago

The thing is that I'm only using the token exchange part of this library. Arguably, using this library is not really worth it in my case.

What happens in its entirety:

I have a single page JS application which shows the "login with github" button
User clicks and is redirected to github
Github POSTs to the backend (note that until now, the backend was not involved at all)
Backend does token exchange with github
Backend responds to javascript app with http-only session id

In other words, I only use your library for these two lines:

let hyper = HyperSyncRustlsAdapter {};
let access_token = hyper.exchange_code(&self.oauth_config, TokenRequest::AuthorizationCode(code.0))

jebrosen commented 4 years ago

Github POSTs to the backend (note that until now, the backend was not involved at all)

I'm unfamiliar with this step. GitHub claims to only support the Authorization Code Grant for OAuth2 apps, and under the Authorization Code Grant the code is always transferred via a client-side redirect to the redirect URI. I also don't see anything in RFC 6749 about an authorization server making a POST request to the application server.

let hyper = HyperSyncRustlsAdapter {};
let access_token = hyper.exchange_code(&self.oauth_config, TokenRequest::AuthorizationCode(code.0))

Ah, I stand corrected - I had forgotten this was possible in the public API.

rethab commented 4 years ago

I'm sorry, when I said "Github POSTs to the backend" I meant to say: "My JS app POSTs to the backend". So my JS app gets the code from Github and after that, my JS app POSTs that code to the backend. The backend then does the token exchange.

In any case, I understand the surface area with your library is quite small and it might actually be easier for me to just implement the token exchange manually.

jebrosen commented 4 years ago

Okay, I think we are on the same page. It makes sense in isolation to make redirect_uri optional anyway, but I also agree that this library may do more than you personally need.

jebrosen commented 4 years ago

This functionality has been implemented in 0.3.0-rc.1: redirect_uri is an Option in the API, and a missing value in Rocket.toml is treated as None.