Allow additional trusted hosts during callback redirect

axieum commented 4 days ago

During development, our Django backend runs at http://localhost:8000/ while the frontend is at http://localhost:5173/.

The following host verification code restricts the redirect to the current request's host.

https://github.com/snok/django-auth-adfs/blob/9415d8a5c885587a1b8b6ed27414da24968336d4/django_auth_adfs/views.py#L54-L59

Could it be possible to merge in Django's ALLOWED_HOSTS setting so we can redirect them back to the original client that may be at a different host?

Upvote & Fund

We're using Polar.sh so you can upvote and help fund this issue.
We receive the funding once the issue is completed & confirmed by you.
Thank you in advance for helping prioritize & fund our backlog.

tim-schilling commented 2 days ago

I'm curious why specifying the redirect via state doesn't work as a workaround?

axieum commented 1 day ago

At present, the view decodes the redirect URI from the state but since the redirect is to a different host than the Django application itself, it replaces it with /.

This issue requires that we can add more allowed redirect hosts, so we can redirect away to the frontend application that may be at a different host.

axieum commented 17 hours ago

Could it be possible to merge in Django's ALLOWED_HOSTS setting so we can redirect them back to the original client that may be at a different host?

Instead of using Django's setting, I think a dedicated setting in the AUTH_ADFS namespace would be more secure and flexible.

snok / django-auth-adfs

Allow additional trusted hosts during callback redirect #355

Upvote & Fund