Preflight Checklist
Version
master
Storage Type
SQLite
Installation Type
Binary
Expected Behavior
When you visit an URL with fragment, and get redirected to dex to authenticate, the fragment should be part of the url when redirected back to the original URL
Example: A user navigates to https://example.com/#/about/me. It is redirected for authentication to dex IDP for ldap authentication. When successfully authenticated it will end up being redirected to https://example.com/
Actual Behavior
When you visit an URL with fragment, and get redirected to dex to authenticate, form interaction (password.html) will remove (or not include) the fragment in form action.
The fragment should be part of the form post so that it is present in the url when redirected back to the original URL
Steps To Reproduce
- Checkout master
- make build
- Run dex
./bin/dex serve examples/config-dev.yaml
- Run example app
cd examples && go run ./example-app
- Go to
http://127.0.0.1:5555/ click login
- Add
#foobar to the URL and force refresh
- Click "Login with email" and observe the fragment is gone
- Add
#foobar to the URL and force refresh
- Login using static user credentials
admin@example.com and password and observe the fragment is gone when redirected.
Additional Information
This issue exists because the URL fragment stays in the browser, it's a client side part. So with the first url request from the browser the server can have many redirects and the fragment will stay. But when there is a form to submit something (user/pass) and the fragment is not included it will be lost.
The redirect url is created on the server and it is expected that this does not include the URL fragment.
oauth2-proxy has a similar fix for this problem. https://github.com/oauth2-proxy/oauth2-proxy/blob/0100ca9403399716586f56a08c784fc690c6fc79/pkg/app/pagewriter/sign_in.html#L113
--
I'm using dex + ldap as IDP with oauth2-proxy to protect an upstream webserver. I only have one connector and the auth selection page is skipped.
Configuration
Logs
Preflight Checklist
Version
master
Storage Type
SQLite
Installation Type
Binary
Expected Behavior
When you visit an URL with fragment, and get redirected to dex to authenticate, the fragment should be part of the url when redirected back to the original URL
Example: A user navigates to
https://example.com/#/about/me. It is redirected for authentication to dex IDP for ldap authentication. When successfully authenticated it will end up being redirected tohttps://example.com/Actual Behavior
When you visit an URL with fragment, and get redirected to dex to authenticate, form interaction (password.html) will remove (or not include) the fragment in form action.
The fragment should be part of the form post so that it is present in the url when redirected back to the original URL
Steps To Reproduce
./bin/dex serve examples/config-dev.yamlcd examples && go run ./example-apphttp://127.0.0.1:5555/click login#foobarto the URL and force refresh#foobarto the URL and force refreshadmin@example.comandpasswordand observe the fragment is gone when redirected.Additional Information
This issue exists because the URL fragment stays in the browser, it's a client side part. So with the first url request from the browser the server can have many redirects and the fragment will stay. But when there is a form to submit something (user/pass) and the fragment is not included it will be lost.
The redirect url is created on the server and it is expected that this does not include the URL fragment.
oauth2-proxy has a similar fix for this problem. https://github.com/oauth2-proxy/oauth2-proxy/blob/0100ca9403399716586f56a08c784fc690c6fc79/pkg/app/pagewriter/sign_in.html#L113
--
I'm using dex + ldap as IDP with oauth2-proxy to protect an upstream webserver. I only have one connector and the auth selection page is skipped.
Configuration
examples/config-dev.yamlLogs