Support for dynamic authorization URL params #41
Comments
|
If the additional parameters are added to the URL, they aren't parsed by the providers? |
|
Sorry, I'm not sure I follow. For things like (def handler
(wrap-oauth2
routes
{:twitter
{:authorize-uri "https://api.twitter.com/oauth/authorize?force_login=true"
...
}}))But if I wanted to use the google I'm honestly pretty far out of my element, just wrote my first clojure code last week, largely based on the example here. To be transparent, I'm just wanting to put together some docs for an OAuth service I run to better support Clojure developers who are integrating us. I've got an example repo here - https://github.com/enterprise-oss/osso-clojure-example. Our service supports passing an I can hardcode these things fine, which works in like a single tenant type of situation. But I want to be able to POST a form to the |
|
Ah, I see what you mean. What about this: we change the launch handler so that if the |
|
Yes that sounds like exactly what I need! I do wonder if there's value in sanitizing or allow-listing the parameters. For instance, Im including the Should I take a pass at this? Feels like we would need to pull the params out of the |
|
Yep, that's what I had in mind, and you can certainly take a go at it if you want. |
Some OAuth providers support extra query params that aren't appropriate for hardcoding. One example is Google OAuth, which accepts an `hd` param to the authorization URL that can restrict logins to users with the provided email domain. This commit allows a developer to submit a request to the launch-uri with parameters. These parameters will now be passed along to the authorization URI as the user is sent to the OAuth provider to authenticate. Also adds a test for this functionality. weavejester#41
|
I think it would be useful to make it even more dynamic; allow the :authorize-uri not only be a string, but a I have a use case to integrate with the Shopify oAuth API, and it requires the following uri: where the {shop} subdomain is only available at runtime (by checking my logged in user, and its settings, to get the {shop} subdomain from its settings). The implementation could be quite short, just modifying this function, to see if :authorize-uri in the profile is a Would that make sense as an implementation? |
|
Hi all, We've just hit this exact problem with Azure AD (v1) where a Either @Kah0ona or @sbauch solution looks good for us. It looks like #42 was ready to be merged (pending squashed commits), but abandoned by author. Happy to dedicate some time in whatever way to get a resolution :) |
Some OAuth providers accept additional URL query params as part of the OAuth authorization URL.
Some examples
• Twitter supports
screen_nameandforce_loginparameters - https://developer.twitter.com/en/docs/authentication/api-reference/authorize• Google supports an
hdparameter to restrict logins to users with that domain, among some other non-standard params - https://developers.google.com/identity/protocols/oauth2/openid-connect#sendauthrequestSome of these, like
force_login, can be hardcoded in user space when using this middleware.But it doesn't seem like one can make a POST request to the
launch_uriwith additional, dynamic params such that they are passed to the provider's authorization URL.Would the maintainers here be interested in a PR that adds this functionality, or be willing to add it themselves? I can take a stab, but I'm very new to Clojure.
The text was updated successfully, but these errors were encountered: