Allowing wildcards in Redirect URIs
5,278 views
Skip to first unread message
John Smith
Mar 17, 2011, 9:32:51 AM3/17/11
to oauth2-dev
Hi,
We plan to add login with FB and Googe Accounts to our web site.
Although we only need basic data, like name and email, OAuth 2 seems
to be a good choice as it is implemented by both sites.
Each developer has a copy of the web site on his or her computer,
these sites are accessed via the FQDN of the given host, e.g.
john.ourintranet.com, bill.ourintranet.com, etc. We can't use
localhost for technical reasons. These sites are only available from
the intranet, but that should not matter, I guess.
Question: is there any way to specify *.ourintranet.com in the API
Console/Identities/Redirect URIs? It seems it only allows full URIs to
be specified.
If not, is there a way for testing OAuth2 authentication with Google
Accounts from these development workstations?
Cheers,
John
We plan to add login with FB and Googe Accounts to our web site.
Although we only need basic data, like name and email, OAuth 2 seems
to be a good choice as it is implemented by both sites.
Each developer has a copy of the web site on his or her computer,
these sites are accessed via the FQDN of the given host, e.g.
john.ourintranet.com, bill.ourintranet.com, etc. We can't use
localhost for technical reasons. These sites are only available from
the intranet, but that should not matter, I guess.
Question: is there any way to specify *.ourintranet.com in the API
Console/Identities/Redirect URIs? It seems it only allows full URIs to
be specified.
If not, is there a way for testing OAuth2 authentication with Google
Accounts from these development workstations?
Cheers,
John
Stuart Massey
Mar 17, 2011, 10:10:01 AM3/17/11
to oauth...@googlegroups.com
If it's in a Windows environment, could you not use a common URL on the API config. and modify the hosts file on each machine to redirect the domain to the localhost IP?
Marius Scurtescu
Mar 17, 2011, 12:04:48 PM3/17/11
to oauth...@googlegroups.com
Each developer has to register and get their own client id and secret. During registration they can all specify their own redirect URI.
You can probably figure hacks and workarounds this limitation, but they are all fragile and insecure.
John Smith
Mar 18, 2011, 7:33:10 AM3/18/11
to oauth2-dev
Thanks for the replies.
The hosts file trick works only if you run a single web site on the
development PC (no port number needed). It would also fail if you have
an internal test web server what you access from another internal
workstation, as the redirection would go to your workstation instead
of the test web server.
The other suggested solution was creating a separate registration for
each developer. But this would make the config files hard to manage.
We keep the api keys in an encrypted config file which should be the
same on all the dev workstations. The file itself is source controlled
so you can't have a different version for each developer.
Based on their documentation, Facebook allows you to specify a domain.
If set, it accepts authentication from any subdomain. I think this is
the proper solution for this.
Will this be possible in the near future?
On Mar 17, 10:10 am, Stuart Massey <vortechs.ph...@gmail.com> wrote:
> If it's in a Windows environment, could you not use a common URL on the API
> config. and modify the hosts file on each machine to redirect the domain to
> the localhost IP?
>
The hosts file trick works only if you run a single web site on the
development PC (no port number needed). It would also fail if you have
an internal test web server what you access from another internal
workstation, as the redirection would go to your workstation instead
of the test web server.
The other suggested solution was creating a separate registration for
each developer. But this would make the config files hard to manage.
We keep the api keys in an encrypted config file which should be the
same on all the dev workstations. The file itself is source controlled
so you can't have a different version for each developer.
Based on their documentation, Facebook allows you to specify a domain.
If set, it accepts authentication from any subdomain. I think this is
the proper solution for this.
Will this be possible in the near future?
On Mar 17, 10:10 am, Stuart Massey <vortechs.ph...@gmail.com> wrote:
> If it's in a Windows environment, could you not use a common URL on the API
> config. and modify the hosts file on each machine to redirect the domain to
> the localhost IP?
>
Andrew Wansley
Mar 18, 2011, 12:26:37 PM3/18/11
to oauth...@googlegroups.com, John Smith
Hey John,
Could you shed a bit more light on why localhost/ redirect_uris don't work for you guys?
Andrew
John Smith
Mar 18, 2011, 2:08:02 PM3/18/11
to oauth2-dev
Hi Andrew,
Let's say that we register https://testpc.ourintranet.com/oauth/ as
the redirect uri and change the hosts file on all workstations and
development servers to resolve this address to 127.0.0.1. In this
case, you can only use the OAuth feature on the site running on your
own workstation and can't test it on other computers, because the
redirection would always resolve to the localhost. We also have quite
a few development servers which run different branches of the site.
Testers would need to change their hosts file every time they want to
check a different server, let alone if they want to check something on
a site running on a dev workstation.
Another example is if I want to show stuff running on my PC to a
remote sales guy. I should ask him to edit his hosts file, etc.
So while this sounds reasonable for a small dev team, it does not
really work out in a larger environment. FB allows you to specify a
domain, that would be the perfect solution for us. I don't see any
security problems with that.
John
On Mar 18, 5:26 pm, Andrew Wansley <aw...@google.com> wrote:
> Hey John,
>
> Could you shed a bit more light on why localhost/ redirect_uris don't work
> for you guys?
>
> Andrew
>
Let's say that we register https://testpc.ourintranet.com/oauth/ as
the redirect uri and change the hosts file on all workstations and
development servers to resolve this address to 127.0.0.1. In this
case, you can only use the OAuth feature on the site running on your
own workstation and can't test it on other computers, because the
redirection would always resolve to the localhost. We also have quite
a few development servers which run different branches of the site.
Testers would need to change their hosts file every time they want to
check a different server, let alone if they want to check something on
a site running on a dev workstation.
Another example is if I want to show stuff running on my PC to a
remote sales guy. I should ask him to edit his hosts file, etc.
So while this sounds reasonable for a small dev team, it does not
really work out in a larger environment. FB allows you to specify a
domain, that would be the perfect solution for us. I don't see any
security problems with that.
John
On Mar 18, 5:26 pm, Andrew Wansley <aw...@google.com> wrote:
> Hey John,
>
> Could you shed a bit more light on why localhost/ redirect_uris don't work
> for you guys?
>
> Andrew
>
John Smith
Mar 25, 2011, 10:52:18 AM3/25/11
to oauth2-dev
If anyone from Google reads this: please allow specifying a domain the
same way as FB does. Without this, it's going to be hard to develop in
a larger organization.
John
same way as FB does. Without this, it's going to be hard to develop in
a larger organization.
John
Reply all
Reply to author
Forward
0 new messages