Hi James,
The `oauth2_start_flow` method returns an instance of a flow-manager object. Could you try holding on to that instance, and then calling that instance’s ` get_authorize_url` and `exchange_code_for_tokens` methods?
~ Karl
To unsubscribe from this group and stop receiving emails from it, send an email to discuss+u...@globus.org.
Hi James,
Two questions for you, referencing your original post:
1. What is the type of the object returned by `client = GlobusOperations().general_auth_client()`? Is it a NativeAppAuthClient or a ConfidentialAppAuthClient?
2. What is `request.url`? Is it the URL that the user needs to be redirected to, after the Globus auth is completed?
~ Karl
Hi James,
What you’re running into is a protection against item 1 of OWASP’s “OAuth 2.0 Essential Basics”: Clients and Authorization Server must not expose URLs that forward the user's browser to arbitrary URIs obtained from a query parameter ("open redirectors") which can enable exfiltration of authorization codes and access tokens.
The redirect URL you pass to Globus Auth must be one of the URLs that you’ve specified, when you set up the App on the Globus Developers site.
If you want to pass some additional information on to your app, OAuth 2.0 (and Globus Auth) provides the “state” parameter: You provide some string as the state. When Globus Auth redirects the client back to your chosen redirect URL, the state will be one of the parameters (along with the code).
One web app I regularly use does the following, whenever I try to visit a web page without having logged in:
1. Generate a random UUID
2a. Set a cookie, containing the UUID and the URL I was trying to visit.
2b. Redirect me to an OAuth 2.0 login, with the UUID as the state.
3. After I’m redirected back to the application, compare the UUID from the state with my browser cookies:
• If the UUID is present in the cookie, and it matches the UUID from the state, I am authenticated, and redirected to the place I originally wanted to go.
• In any other case, the app revokes the just-issued token, then returns an error.
As for request types: All of the OAuth 2.0 operations are GET requests, with parameters passed via the URL query string.