- Issue created by @santhosh@21
- First commit to issue fork.
- Status changed to Needs review
10 months ago 8:33am 11 July 2024 - 🇮🇳India sarwan_verma
Hi @santhosh@21,
I have created MR!3 for the above patch, Please review it once.
So is this issue fixed? Is there a way I can configure the redirect uri to use https? The drupal site is dockerized and deployed on azure securely with https already. Where in the code and in which file can I find and configure it?
- Status changed to Needs work
about 2 months ago 2:05pm 28 February 2025 - 🇺🇸United States pfrilling Minster, OH
Reading through the spec for redirect uri https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest, I'm not sure we should enforce https.
REQUIRED. Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described in Section 6.2.1 of [RFC3986] (Simple String Comparison). When using this flow, the Redirection URI SHOULD use the https scheme; however, it MAY use the http scheme, provided that the Client Type is confidential, as defined in Section 2.1 of OAuth 2.0, and provided the OP allows the use of http Redirection URIs in this case. Also, if the Client is a native application, it MAY use the http scheme with localhost or the IP loopback literals 127.0.0.1 or [::1] as the hostname. The Redirection URI MAY use an alternate scheme, such as one that is intended to identify a callback into a native application.
I think the better approach would be to add a new option that allows an administrator to enforce https if they choose.