search

oddlama / kanidm-provision

A small utility to help with kanidm provisioning
Apache License 2.0
29 stars 1 forks source link

kanidm 1.4 and strict-redirect-url #12

Open mannp opened 1 week ago

mannp commented 1 week ago

Hi there

Is setting strict-redirect-url something that might be supported in a future release at all?

If you have not enabled strict-redirect-url on all OAuth2 clients the upgrade to 1.4.0 will refuse to proceed.

To enable or disable strict validation:

kanidm system oauth2 enable-strict-redirect-url <name>
kanidm system oauth2 disable-strict-redirect-url <name>

Would setting this outside of kanidm-provision be an issue as you see it?

Thanks in advance

oddlama commented 1 week ago

I do think we should support provisioning this in a future version, I'm pretty sure there are some clients out there that don't work with the strict behavior.

Would setting this outside of kanidm-provision be an issue as you see it?

No, should be completely fine. The provisioning doesn't touch any attribute it doesn't know about. I guess you are forced to manually set this to true anyway before upgrading if I understand the documentation correctly.

Unfortunately I won't have time to implement it in the next 2 weeks, so you have to make do with setting it manually until I have a free minute for this.

mannp commented 1 week ago

I do think we should support provisioning this in a future version, I'm pretty sure there are some clients out there that don't work with the strict behavior.

Really, I wasn't aware of that. Will have to keep an eye out when I try to upgrade to 1.4

No, should be completely fine. The provisioning doesn't touch any attribute it doesn't know about. I guess you are forced to manually set this to true anyway before upgrading if I understand the documentation correctly.

Okay thanks, that is good to know. Yes that is my understanding too re 1.4. I have just done the upgrade check, and it says I must enable strict-redirect-url on all clients before 1.4 will upgrade.

Unfortunately I won't have time to implement it in the next 2 weeks, so you have to make do with setting it manually until I have a free minute for this.

Of course, not a problem at all, I will just set them manually and take it from there.

Happy to close this, or keep it open to track any future update...

Thanks for the really quick response :) cheers

oddlama commented 1 week ago

Thanks for the really quick response :) cheers

Good luck with your upgrade!

Happy to close this, or keep it open to track any future update...

Actually let's keep it open, otherwise I might forget this 😅

mannp commented 1 week ago

Good luck with your upgrade!

Cheers, thanks.

You were right, the second client I just upgraded would not allow me to log in to the destination app.

Reverted for now and will leave it for another day when I have time to fix things :)

Actually let's keep it open, otherwise I might forget this 😅

Sure

Have a good one.

mannp commented 1 week ago

With 1.4 the redirect url must be an exact match and mine often look like;

/auth/login/kanidm/callback or .../callback

Adding a slash at the end as the app currently directs us too, now seems invalid?

Not sure if I have understood correctly, but without the slash works, with does not.

        # Required. Must end with a '/'.
        # Also accepts a non-empty list of strings if you want to set multiple origin urls.
        # e.g. ["https://git.example.com/", "https://git.example.de/"]
        "originUrl": "https://git.example.com/",

Upgrade complete :)