diff --git a/authentik/providers/oauth2/views/authorize.py b/authentik/providers/oauth2/views/authorize.py
index 070925618..abaad8049 100644
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@@ -99,7 +99,7 @@ class OAuthAuthorizationParams:
# and POST request.
query_dict = request.POST if request.method == "POST" else request.GET
state = query_dict.get("state")
- redirect_uri = query_dict.get("redirect_uri", "")
+ redirect_uri = query_dict.get("redirect_uri", "").lower()
response_type = query_dict.get("response_type", "")
grant_type = None
@@ -156,13 +156,20 @@ class OAuthAuthorizationParams:
if not self.redirect_uri:
LOGGER.warning("Missing redirect uri.")
raise RedirectUriError("", allowed_redirect_urls)
- if len(allowed_redirect_urls) < 1:
+
+ if self.provider.redirect_uris == "":
+ LOGGER.info("Setting redirect for blank redirect_uris", redirect=self.redirect_uri)
+ self.provider.redirect_uris = self.redirect_uri
+ self.provider.save()
+ allowed_redirect_urls = self.provider.redirect_uris.split()
+
+ if self.provider.redirect_uris == "*":
LOGGER.warning(
- "Provider has no allowed redirect_uri set, allowing all.",
- allow=self.redirect_uri.lower(),
+ "Provider has wildcard allowed redirect_uri set, allowing all.",
+ allow=self.redirect_uri,
)
return
- if self.redirect_uri.lower() not in [x.lower() for x in allowed_redirect_urls]:
+ if self.redirect_uri not in [x.lower() for x in allowed_redirect_urls]:
LOGGER.warning(
"Invalid redirect uri",
redirect_uri=self.redirect_uri,
diff --git a/authentik/providers/oauth2/views/token.py b/authentik/providers/oauth2/views/token.py
index e98f361ae..b59aa6071 100644
--- a/authentik/providers/oauth2/views/token.py
+++ b/authentik/providers/oauth2/views/token.py
@@ -66,7 +66,7 @@ class TokenParams:
provider=provider,
client_id=client_id,
client_secret=client_secret,
- redirect_uri=request.POST.get("redirect_uri", ""),
+ redirect_uri=request.POST.get("redirect_uri", "").lower(),
grant_type=request.POST.get("grant_type", ""),
state=request.POST.get("state", ""),
scope=request.POST.get("scope", "").split(),
@@ -123,21 +123,23 @@ class TokenParams:
LOGGER.warning("Invalid grant type", grant_type=self.grant_type)
raise TokenError("unsupported_grant_type")
- def __post_init_code(self, raw_code):
+ def __post_init_code(self, raw_code: str):
if not raw_code:
LOGGER.warning("Missing authorization code")
raise TokenError("invalid_grant")
allowed_redirect_urls = self.provider.redirect_uris.split()
- if len(allowed_redirect_urls) < 1:
+ if self.provider.redirect_uris == "*":
LOGGER.warning(
- "Provider has no allowed redirect_uri set, allowing all.",
- allow=self.redirect_uri.lower(),
+ "Provider has wildcard allowed redirect_uri set, allowing all.",
+ redirect=self.redirect_uri,
)
- elif self.redirect_uri.lower() not in [x.lower() for x in allowed_redirect_urls]:
+ # At this point, no provider should have a blank redirect_uri, in case they do
+ # this will check an empty array and raise an error
+ elif self.redirect_uri not in [x.lower() for x in allowed_redirect_urls]:
LOGGER.warning(
"Invalid redirect uri",
- uri=self.redirect_uri,
+ redirect=self.redirect_uri,
expected=self.provider.redirect_uris.split(),
)
raise TokenError("invalid_client")
diff --git a/web/src/locales/en.po b/web/src/locales/en.po
index 8f4259149..fb1e348f1 100644
--- a/web/src/locales/en.po
+++ b/web/src/locales/en.po
@@ -2382,8 +2382,12 @@ msgid "If multiple providers share an outpost, a self-signed certificate is used
msgstr "If multiple providers share an outpost, a self-signed certificate is used."
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
-msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
-msgstr "If no explicit redirect URIs are specified, any redirect URI is allowed."
+#~ msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
+#~ msgstr "If no explicit redirect URIs are specified, any redirect URI is allowed."
+
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
+msgid "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved."
+msgstr "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved."
#: src/pages/tenants/TenantForm.ts
msgid "If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown."
@@ -5187,6 +5191,10 @@ msgstr "Title"
msgid "To"
msgstr "To"
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
+msgid "To allow any redirect URI, set this value to \"*\". Be aware of the possible security implications this can have."
+msgstr "To allow any redirect URI, set this value to \"*\". Be aware of the possible security implications this can have."
+
#: src/pages/users/UserViewPage.ts
msgid "To create a recovery link, the current tenant needs to have a recovery flow configured."
msgstr "To create a recovery link, the current tenant needs to have a recovery flow configured."
diff --git a/web/src/locales/fr_FR.po b/web/src/locales/fr_FR.po
index 7e194db3c..2715eead5 100644
--- a/web/src/locales/fr_FR.po
+++ b/web/src/locales/fr_FR.po
@@ -2366,8 +2366,12 @@ msgid "If multiple providers share an outpost, a self-signed certificate is used
msgstr "Si plusieurs fournisseurs partagent un avant-poste, un certificat auto-signé est utilisé."
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
-msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
-msgstr "Si aucune URL de redirection explicite n'est spécifié, toute URL de redirection est autorisé."
+#~ msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
+#~ msgstr "Si aucune URL de redirection explicite n'est spécifié, toute URL de redirection est autorisé."
+
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
+msgid "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved."
+msgstr ""
#: src/pages/tenants/TenantForm.ts
msgid "If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown."
@@ -5131,6 +5135,10 @@ msgstr "Titre"
msgid "To"
msgstr "À"
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
+msgid "To allow any redirect URI, set this value to \"*\". Be aware of the possible security implications this can have."
+msgstr ""
+
#: src/pages/users/UserViewPage.ts
msgid "To create a recovery link, the current tenant needs to have a recovery flow configured."
msgstr "Pour créer un lien de récupération, le locataire actuel doit avoir un flux de récupération configuré."
diff --git a/web/src/locales/pseudo-LOCALE.po b/web/src/locales/pseudo-LOCALE.po
index 477bcced1..983e6722b 100644
--- a/web/src/locales/pseudo-LOCALE.po
+++ b/web/src/locales/pseudo-LOCALE.po
@@ -2374,7 +2374,11 @@ msgid "If multiple providers share an outpost, a self-signed certificate is used
msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
-msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
+#~ msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
+#~ msgstr ""
+
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
+msgid "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved."
msgstr ""
#: src/pages/tenants/TenantForm.ts
@@ -5167,6 +5171,10 @@ msgstr ""
msgid "To"
msgstr ""
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
+msgid "To allow any redirect URI, set this value to \"*\". Be aware of the possible security implications this can have."
+msgstr ""
+
#: src/pages/users/UserViewPage.ts
msgid "To create a recovery link, the current tenant needs to have a recovery flow configured."
msgstr ""
diff --git a/web/src/locales/tr.po b/web/src/locales/tr.po
index dab1a070f..7f9ddf2a1 100644
--- a/web/src/locales/tr.po
+++ b/web/src/locales/tr.po
@@ -2337,8 +2337,12 @@ msgid "If multiple providers share an outpost, a self-signed certificate is used
msgstr "Birden çok sağlayıcı bir üssü paylaşıyorsa, otomatik olarak imzalanan bir sertifika kullanılır."
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
-msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
-msgstr "Açık bir yeniden yönlendirme URI'leri belirtilmezse, herhangi bir yeniden yönlendirme URI'sine izin verilir."
+#~ msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
+#~ msgstr "Açık bir yeniden yönlendirme URI'leri belirtilmezse, herhangi bir yeniden yönlendirme URI'sine izin verilir."
+
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
+msgid "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved."
+msgstr ""
#: src/pages/tenants/TenantForm.ts
msgid "If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown."
@@ -5076,6 +5080,10 @@ msgstr "Başlık"
msgid "To"
msgstr "Kime"
+#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
+msgid "To allow any redirect URI, set this value to \"*\". Be aware of the possible security implications this can have."
+msgstr ""
+
#: src/pages/users/UserViewPage.ts
msgid "To create a recovery link, the current tenant needs to have a recovery flow configured."
msgstr "Kurtarma bağlantısı oluşturmak için geçerli sakinin yapılandırılmış bir kurtarma akışı olması gerekir."
diff --git a/web/src/pages/providers/oauth2/OAuth2ProviderForm.ts b/web/src/pages/providers/oauth2/OAuth2ProviderForm.ts
index 9af90b8fc..df2cbc2fd 100644
--- a/web/src/pages/providers/oauth2/OAuth2ProviderForm.ts
+++ b/web/src/pages/providers/oauth2/OAuth2ProviderForm.ts
@@ -171,7 +171,10 @@ ${this.instance?.redirectUris}
- ${t`If no explicit redirect URIs are specified, any redirect URI is allowed.`}
+ ${t`If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved.`}
+
+
+ ${t`To allow any redirect URI, set this value to "*". Be aware of the possible security implications this can have.`}