search

logto-io / logto

🧑‍🚀 The better identity infrastructure for developers and the open-source alternative to Auth0.
https://logto.io
Mozilla Public License 2.0
8.39k stars 413 forks source link

bug: Expo client cannot use expo go redirect_uri #5632

Open artalat opened 5 months ago

artalat commented 5 months ago

Describe the bug

Expo Go app uses "exp" scheme for uri. For example: exp://192.168.3.137:8081. But logto use validation fails for this.

Expected behavior

The client accepts such redirect_uris

How to reproduce?

Just try to set the example uri from the example given above.

xiaoyijun commented 5 months ago

Hi @artalat , this is intended by Logto, since your app is a native app, you need to use a reverse domain name notation for your scheme according to the RFC when using OAuth 2.0.

artalat commented 5 months ago

Hi @xiaoyijun , thank you for your response. But this distrupts the Expo development process. As Expo's offical Expo Go app uses this scheme. In Expo, for managed workflow apps, development is done on Expo Go. So this is a problem.

Besides, if the OS is not enforcing this limitation, why should Logto?

gao-sun commented 5 months ago

@xiaoyijun let's discuss this next week

artalat commented 5 months ago

Any update on this?

simeng-li commented 5 months ago

@artalat, on which platform did you execute Expo Go? If it was iOS, you can define a custom redirect URI e.g. app.my//callback and pass it to the AuthSession instead of the default exp://XXXX one, which should unblock your development.

However, I'm afraid that this won't work on Android. Custom redirect URIs might not invoke the Expo Go app correctly on Android.

To conduct testing on Android, you'll need to build an Android package instead of relying on Expo Go, and set the custom scheme in the App.json file. This ensures everything works properly on the production packages.

The private use native client scheme is restricted by the OAuth2.0 spec.

For private-use URI scheme-based redirects, authorization servers SHOULD enforce the requirement in Section 7.1 that clients use schemes that are reverse domain name based. At a minimum, any private-use URI scheme that doesn't contain a period character (".") SHOULD be rejected.

Let me know if this helps.

artalat commented 5 months ago

@simeng-li Thanks for your detailed response, apart from the hassle this causes, my point is if the OS/platform allows setting a scheme without a ".", Logto shouldnt enforce this restriction for those specific OS/Platforms