Skip to content

Oauth issues with use_secure_urls=true #9722

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
2 tasks done
alecpl opened this issue Dec 3, 2024 · 1 comment
Closed
2 tasks done

Oauth issues with use_secure_urls=true #9722

alecpl opened this issue Dec 3, 2024 · 1 comment
Assignees
@alecpl
Labels
bug C: OAuth
Milestone
1.6.10

Comments

@alecpl
Copy link
Member

alecpl commented Dec 3, 2024

Prerequisites

  • I have searched for duplicate or closed issues
  • I can recreate the issue with all plugins disabled

Describe the issue

If you enabled use_secure_urls the URL may contain a token prefix to the request base path. E.g. https://roundcube.test/index.php becomes https://roundcube.test/Vz2siuF3cr42OlPl/index.php.

Issues:

  1. In rcmail_oauth::get_redirect_uri() we build a request url for oauth redirect. If current base path includes the token, the redirect url will contain it too. This will not work with oauth providers that do validate the url with registered client's url. We have to use a redirect url without the token.
  2. After user returns from the redirect we should do the "secure redirect" (to a "tokenized url") the same as we do in index.php on successful logon.

What browser(s) are you seeing the problem on?

No response

What version of PHP are you using?

No response

What version of Roundcube are you using?

1.6.9 - master

JavaScript errors

No response

PHP errors

No response
@alecpl alecpl added this to the 1.6.10 milestone Dec 3, 2024
@alecpl alecpl self-assigned this Dec 3, 2024
alecpl added a commit that referenced this issue Dec 3, 2024
@alecpl
Fix Oauth issues with use_secure_urls=true (#9722)
df02322
alecpl added a commit that referenced this issue Dec 3, 2024
@alecpl
Fix Oauth issues with use_secure_urls=true (#9722)
c516f6e
@alecpl
Copy link
Member Author

alecpl commented Dec 3, 2024

Fixed. Just a note that issue 2. didn't exist in master.

@alecpl alecpl closed this as completed Dec 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alecpl alecpl

Labels
bug C: OAuth
Projects
None yet
Milestone
1.6.10
Development

No branches or pull requests
1 participant
@alecpl