Skip to content

b/176762319: remove authorizationUrl redirect#824

Merged
qiwzhang merged 1 commit intocloudendpoints:masterfrom
qiwzhang:authorization-url
Jan 5, 2021
Merged

b/176762319: remove authorizationUrl redirect#824
qiwzhang merged 1 commit intocloudendpoints:masterfrom
qiwzhang:authorization-url

Conversation

@qiwzhang
Copy link
Contributor

@qiwzhang qiwzhang commented Jan 5, 2021
edited
Loading

Signed-off-by: Wayne Zhang [email protected]

This was added as a "feature" 4 years ago by #228
It really is a bug. If a user accidentally set authorizationUrl in the openapi spec, ESP auth will behave wrong.

b/176762319:another user run into this problem.

I added this "feature" for Flex team, but I don't think they are using it.
I don't think anybody is using this feature either since it is not documented. It was designed for OAuth flow, but it is not complete, it requires more query parameters from JWT token during 302 redirect.

@qiwzhang qiwzhang requested review from TAOXUY and nareddyt January 5, 2021 22:44
@qiwzhang qiwzhang merged commit 621211d into cloudendpoints:master Jan 5, 2021
@qiwzhang qiwzhang deleted the authorization-url branch January 5, 2021 23:28
@pulidon
Copy link

pulidon commented Jan 14, 2021

@qiwzhang @nareddyt @TAOXUY, this fueature shoudn't have been removed, as 'authorizationUrl' is a required parameter by the OpenAPI Specification https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#securityDefinitionsObject, furthemore if I'm using other authentication systems like (Auth0, Firebase) I should have the functionality to send not authenticated users to the authentication portal. please let me know if I should create a Issue or reopen the previous one.

@nareddyt
Copy link
Contributor

nareddyt commented Jan 14, 2021

What do you think @qiwzhang? Worst case we can revert this PR and place this behavior around a feature flag (disabled by default, @pulidon can enable it).

@qiwzhang
Copy link
Contributor Author

qiwzhang commented Jan 14, 2021

OK, let us add his feature back under a flag. My judgement is: most people don't use it, but they get confused when we redirect to that URL silently. For the new users that want the redirect feature, they can enable it explicitly.

BTW, ESPv2 doesn't have this feature, we need to add it to ESPv2 too.

qiwzhang added a commit to qiwzhang/esp that referenced this pull request Jan 15, 2021
@qiwzhang
Revert "remove authorizationUrl redirect (cloudendpoints#824)"
fa8eece 
This reverts commit 621211d.
@qiwzhang qiwzhang mentioned this pull request Jan 15, 2021
Merged
qiwzhang added a commit that referenced this pull request Jan 15, 2021
@qiwzhang
Add back authorizationUrl redirect feature with a flag (#828)
f67ffdc 
* Revert "remove authorizationUrl redirect (#824)"

This reverts commit 621211d.

* Add redirect_authorization_url flag

Signed-off-by: Wayne Zhang <[email protected]>

* rename the flag

Signed-off-by: Wayne Zhang <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TAOXUY TAOXUY TAOXUY approved these changes

+1 more reviewer

@nareddyt nareddyt nareddyt approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@qiwzhang @pulidon @nareddyt @TAOXUY