fix: add loopback for native apps redirect_uri (#1690)

* fix: allow loopback redirect_uri for native apps * add loopback to native redirect_uri * fix loopback * update oidc pkg * merge * fix: oidc compliance in read model
2025-08-11 21:37:32 +00:00 · 2021-05-03 09:07:54 +02:00
parent f70adec022
commit 5277dd0818
8 changed files with 140 additions and 1039 deletions
--- a/internal/domain/application_oidc.go
+++ b/internal/domain/application_oidc.go
@@ -9,10 +9,16 @@ import (
 )

 const (
-	http           = "http://"
-	httpLocalhost  = "http://localhost:"
-	httpLocalhost2 = "http://localhost/"
-	https          = "https://"
+	http                          = "http://"
+	httpLocalhostWithPort         = "http://localhost:"
+	httpLocalhostWithoutPort      = "http://localhost/"
+	httpLoopbackV4WithPort        = "http://127.0.0.1:"
+	httpLoopbackV4WithoutPort     = "http://127.0.0.1/"
+	httpLoopbackV6WithPort        = "http://[::1]:"
+	httpLoopbackV6WithoutPort     = "http://[::1]/"
+	httpLoopbackV6LongWithPort    = "http://[0:0:0:0:0:0:0:1]:"
+	httpLoopbackV6LongWithoutPort = "http://[0:0:0:0:0:0:0:1]/"
+	https                         = "https://"
 )

 type OIDCApp struct {
@@ -214,9 +220,15 @@ func CheckRedirectUrisCode(compliance *Compliance, appType OIDCApplicationType,
 	if urlsAreHttps(redirectUris) {
 		return
 	}
-	if urlContainsPrefix(redirectUris, http) && appType != OIDCApplicationTypeWeb {
-		compliance.NoneCompliant = true
-		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb")
+	if urlContainsPrefix(redirectUris, http) {
+		if appType == OIDCApplicationTypeUserAgent {
+			compliance.NoneCompliant = true
+			compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb")
+		}
+		if appType == OIDCApplicationTypeNative && !onlyLocalhostIsHttp(redirectUris) {
+			compliance.NoneCompliant = true
+			compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.NativeShouldBeHttpLocalhost")
+		}
 	}
 	if containsCustom(redirectUris) && appType != OIDCApplicationTypeNative {
 		compliance.NoneCompliant = true
@@ -253,13 +265,15 @@ func CheckRedirectUrisImplicitAndCode(compliance *Compliance, appType OIDCApplic
 		compliance.NoneCompliant = true
 		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed")
 	}
-	if (urlContainsPrefix(redirectUris, httpLocalhost) || urlContainsPrefix(redirectUris, httpLocalhost2)) && appType != OIDCApplicationTypeNative {
-		compliance.NoneCompliant = true
-		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.HttpLocalhostOnlyForNative")
-	}
-	if urlContainsPrefix(redirectUris, http) && !(urlContainsPrefix(redirectUris, httpLocalhost) || urlContainsPrefix(redirectUris, httpLocalhost2)) && appType != OIDCApplicationTypeWeb {
-		compliance.NoneCompliant = true
-		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb")
+	if urlContainsPrefix(redirectUris, http) {
+		if appType == OIDCApplicationTypeUserAgent {
+			compliance.NoneCompliant = true
+			compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb")
+		}
+		if !onlyLocalhostIsHttp(redirectUris) && appType == OIDCApplicationTypeNative {
+			compliance.NoneCompliant = true
+			compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.NativeShouldBeHttpLocalhost")
+		}
 	}
 	if !compliance.NoneCompliant {
 		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.NotAllCombinationsAreAllowed")
@@ -295,11 +309,20 @@ func containsCustom(uris []string) bool {

 func onlyLocalhostIsHttp(uris []string) bool {
 	for _, uri := range uris {
-		if strings.HasPrefix(uri, http) {
-			if !strings.HasPrefix(uri, httpLocalhost) && !strings.HasPrefix(uri, httpLocalhost2) {
-				return false
-			}
+		if strings.HasPrefix(uri, http) && !isHTTPLoopbackLocalhost(uri) {
+			return false
 		}
 	}
 	return true
 }
+
+func isHTTPLoopbackLocalhost(uri string) bool {
+	return strings.HasPrefix(uri, httpLocalhostWithoutPort) ||
+		strings.HasPrefix(uri, httpLocalhostWithPort) ||
+		strings.HasPrefix(uri, httpLoopbackV4WithoutPort) ||
+		strings.HasPrefix(uri, httpLoopbackV4WithPort) ||
+		strings.HasPrefix(uri, httpLoopbackV6WithoutPort) ||
+		strings.HasPrefix(uri, httpLoopbackV6WithPort) ||
+		strings.HasPrefix(uri, httpLoopbackV6LongWithoutPort) ||
+		strings.HasPrefix(uri, httpLoopbackV6LongWithPort)
+}