Skip to content

Relax redirect URL matching for the forward slash path case #710

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Relax redirect URL matching for the forward slash path case #710

wants to merge 6 commits into from

Conversation

AlexPlekhov
Copy link

@AlexPlekhov AlexPlekhov commented Jun 10, 2022
edited by petea
Loading

Based on issue #446 sometimes a trailing slash added to path for redirect url.
Here a fix to make comparison regardless that trailing slash.

This issue affects react-native-app-auth lib:
FormidableLabs/react-native-app-auth#123
FormidableLabs/react-native-app-auth#336

and a few others.

@petea
Copy link
Collaborator

petea commented Jun 10, 2022

Thanks for the contribution @AlexPlekhov, could you sign the contributor agreements so we can get this merged?

@AlexPlekhov
Copy link
Author

Hi @petea, I've already done it immediately after creating PR. I hope you got email notifications. If didn't I'm ready to send those PDFs via email.

@AlexPlekhov
Copy link
Author

Thanks for the contribution @AlexPlekhov, could you sign the contributor agreements so we can get this merged?

Hi @petea, could you confirm that everything OK? I followed the steps in the contributor agreements. Please, write me back if I missed anything and still have to do something.

@ntherning
Copy link

Would be great to have this PR merged as it fixes an issue with Azure AD we have been experiencing. The Azure Portal gives us a redirect URI which looks like msauth.com.example.app://auth to use with our iOS app. But when the redirect back to our app happens they have appended a slash which breaks AppAuth's redirect URI validation. With the changes in this PR applied AppAuth happily accepts the redirect URI and proceeds.

@ntherning ntherning mentioned this pull request Jul 1, 2022
Open
@AlexPlekhov
Copy link
Author

Hi all, @petea,

I've resigned all docs as required by Mike Leszcz, was added to a WG, got a subscription email.
But it's still in review. Have I missed anything again?

@developerfromjokela
Copy link

I think this should be merged, as this is mission critical for functioning apps that rely on third party services and thus cannot influence how the backend behaves.

@petea petea changed the title Update OIDAuthorizationService.m Improve redirect URL matching for the forward slash path case Aug 18, 2022
@petea petea linked an issue Aug 18, 2022 that may be closed by this pull request
Trailing slash in URL breaks the auth flow #446
Open
petea
petea requested changes Aug 18, 2022
View reviewed changes
@petea
Copy link
Collaborator

petea commented Aug 18, 2022

@developerfromjokela note that there are workarounds for this situation discussed in #446.

@petea petea changed the title Improve redirect URL matching for the forward slash path case Relax redirect URL matching for the forward slash path case Aug 18, 2022
@AlexPlekhov
Copy link
Author

@developerfromjokela note that there are workarounds for this situation discussed in #446.

Yep, we already did the same. But wants to help the community to not face with it again.

@AlexPlekhov AlexPlekhov requested a review from petea August 18, 2022 13:49
@davidkaya
Copy link

davidkaya commented Aug 31, 2022
edited
Loading

Hi @petea, will this get merged? We encountered this issue just today. We have support for multiple IdPs that support OIDC and customer wanted to use ADFS but it is not working cause ADFS appends / to the redirect uri 🤷🏽‍♂️

@petea
Copy link
Collaborator

petea commented Sep 8, 2022

@davidkaya note that there is a straightforward workaround for this issue that is detailed in #446.

@petea petea added this to the 1.6.0 milestone Sep 8, 2022
petea
petea requested changes Sep 9, 2022
View reviewed changes
@petea petea modified the milestones: 1.6.0, 1.6.1 Sep 9, 2022
@AlexPlekhov
Increase indent from 2 to 4.
20e4fba 
Add a comment for changes.
@AlexPlekhov AlexPlekhov requested a review from petea September 12, 2022 06:46
@DelcoigneYves
Copy link

Can we get this PR moving again? I think the only remaining question is a missing comment? Would help in our case (using the Flutter AppAuth library where this is an issue as well (and mentioned workaround does not apply in our case)

@AlexPlekhov
Copy link
Author

@DelcoigneYves
I did everything I could. Comments, formats - everything has been in place already.

@DelcoigneYves
Copy link

Then poking @petea for a merge 💯

petea
petea requested changes Oct 19, 2022
View reviewed changes
@AlexPlekhov AlexPlekhov requested a review from petea October 24, 2022 14:27
@AlexPlekhov
Copy link
Author

@DelcoigneYves @petea @davidkaya
Hi folks!
I give up. I see only resistance against this PR and ignorance.
May be you will be more successful to resolve this issue on your way.
I will close it soon.

@DelcoigneYves
Copy link

@petea LGTM! Can we please now merge it? 🙂 https://github.com/openid/AppAuth-iOS/blob/master/CONTRIBUTING.md#pull-request-reviews

@pawellaskowski
Copy link

Hi @petea, is this going to get merged?

@icanci01
Copy link

I’m encountering a similar issue in a React Native application that uses AppAuth on iOS. Interestingly, this works fine on Android, but iOS fails due to strict redirect URL matching.

The problem is that I have no control over the Identity Provider (IdP). The IdP rejects the client if I register the redirect URL with a trailing /, so I must use the version without the trailing slash. However, the IdP does append a trailing / when returning the authorization response, causing AppAuth’s strict path comparison to reject the redirect.

Requesting the IdP to change its behavior isn’t feasible, as adding a trailing slash for my client would risk breaking existing integrations.

Could we consider making the redirect URI/path matching more relaxed, or at least providing a configuration option where developers can specify alternative acceptable redirect URLs (e.g., allow both myapp://callback and myapp://callback/)?

The suggested workarounds from previous discussions didn’t solve this issue for me. I resorted to creating a custom patch that’s applied automatically during pod install, but this approach is fragile — any upstream file structure change in AppAuth forces me to maintain and update the patch manually.

I even tried intercepting/replacing the matching method at runtime, but had no success despite multiple attempts.

Could we please get an update on this Pull Request, or some guidance on a cleaner long-term solution? A small change upstream would greatly improve AppAuth’s flexibility for these kinds of real-world IdP inconsistencies.

@developerfromjokela
Copy link

developerfromjokela commented Jul 26, 2025
edited
Loading

I’m encountering a similar issue in a React Native application that uses AppAuth on iOS. Interestingly, this works fine on Android, but iOS fails due to strict redirect URL matching.

The problem is that I have no control over the Identity Provider (IdP). The IdP rejects the client if I register the redirect URL with a trailing /, so I must use the version without the trailing slash. However, the IdP does append a trailing / when returning the authorization response, causing AppAuth’s strict path comparison to reject the redirect.

Requesting the IdP to change its behavior isn’t feasible, as adding a trailing slash for my client would risk breaking existing integrations.

Could we consider making the redirect URI/path matching more relaxed, or at least providing a configuration option where developers can specify alternative acceptable redirect URLs (e.g., allow both myapp://callback and myapp://callback/)?

The suggested workarounds from previous discussions didn’t solve this issue for me. I resorted to creating a custom patch that’s applied automatically during pod install, but this approach is fragile — any upstream file structure change in AppAuth forces me to maintain and update the patch manually.

I even tried intercepting/replacing the matching method at runtime, but had no success despite multiple attempts.

Could we please get an update on this Pull Request, or some guidance on a cleaner long-term solution? A small change upstream would greatly improve AppAuth’s flexibility for these kinds of real-world IdP inconsistencies.

Seems rather hopeless trying to get this merged, 2 years oh boy. maybe starting a fork with the patch is worth it?

@icanci01
Copy link

@developerfromjokela Yeah, starting a fork with the patch is definitely an option, but it comes with a few drawbacks. Maintaining a fork means I have to keep it in sync with upstream, manually merge updates, and ensure compatibility with future iOS/React Native changes. It works as a quick fix sure.. but I don't want to have another burden... I think for now patching the file during pod install might be the easiest fix for me.. :) will just have to make sure with future updates to update my patch file...

I think the issue with this pull request is that the reviewer @petea seems to not be active anymore..

Can we have someone else that is actively maintaining this to have a look?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@developerfromjokela developerfromjokela developerfromjokela approved these changes

@petea petea Awaiting requested review from petea

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.6.1
Development

Successfully merging this pull request may close these issues.

Trailing slash in URL breaks the auth flow
8 participants
@AlexPlekhov @petea @ntherning @developerfromjokela @davidkaya @DelcoigneYves @pawellaskowski @icanci01