Securely redirects OAuth responses to known clients.
Project description
Description
During the OAuth workflow a webserver defined by redirect_uri receives the result of a the authorization given by the enduser.
This redirect_uri is usually a whitelisted uri to avoid phising attacks.
Unfortunately this makes it hard to write an OAuth integrated client to an API where the domain is not known in advance.
Faced with such a situation we wrote this server to move the decision of who can receive the result of an OAuth handshake from the OAuth provider to an intermediary.
How it Works
Using oauth_redirect the OAuth workflow works as follows:
The oauth_redirect server is run on a TLS protected site. For example: https://oauth.seantis.ch.
The OAuth provider is configured to allow redirects to https://oauth.seantis.ch/redirect.
The client that wants to acquire the authorisation registers itself with the oauth_redirect server using a secret authentication code.
The enduser is presented with the OAuth authorization site, with the redirect_uri set to https://oauth.seantis.ch/redirect.
The result is sent to the oauth_redirect server, which will forward/proxy the request to the client, if and only if the client has registered itself before and the request from the OAuth provider contains a token to that effect.
Methods
POST /register/<authentication code>
Used by the client/authorisation seeker to register itself. The client is required to include a secret authentication code in the registration message.
The body of the POST request is a json in this form:
{ 'url': "The url that handles the forwarded OAuth response.", 'ttl': "The optional time to live in seconds (defaults to 3600 seconds)", 'secret': "A client-specific secret that should be used authenticate the forwarded request. If the request does not contain this secret, someone other than oauth_redirect has sent it." }
Returns the token which needs to be passed by the OAuth provider:
{ 'token': "..." }
POST /redirect
The endpoint communicated to the OAuth provider through the redirect_uri. To authenticate the request coming from the OAuth provider must contain the token given by /register/<authentication code>.
Usually OAuth providers provide some kind of of value that may be passed from the client to the redirect_uri. This value can be used to carry the token back to the oauth_redirect server.
If there is no such value, the token may also be passed by url, using query paramters (i.e. https://oauth.seantis.ch/redirect?token=…).
Any value will do, a value in a json body, a formdata value or a query parameter.
If the redirect request is accepted it is proxied to the registered url. The result of the /redirect request is the result of the proxied url.
If the request was accepted, it is deleted.
Deployment
The server is implemented using aiohttp. It requires at least Python 3.5.
Though it might be possible to implement TLS support on the oauth_redirect we recommend that you put it behind a proper web proxy like nginx/apache.
To run the server run:
oauth-redirect --host localhost --port 8080 --database registered --auth <your custom auth code>
Run the Tests
Install tox and run it:
pip install tox tox
Limit the tests to a specific python version:
tox -e py27
Conventions
Oauth_redirect follows PEP8 as close as possible. To test for it run:
tox -e pep8
Oauth_redirect uses Semantic Versioning
Build Status
Coverage
Latest PyPI Release
License
oauth_redirect is released under GPLv2
Changelog
0.1.0 (2017-05-23)
Initial Release. [href]
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file oauth_redirect-0.1.0.tar.gz
.
File metadata
- Download URL: oauth_redirect-0.1.0.tar.gz
- Upload date:
- Size: 7.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 2f45b839c1ae4e214b5d2f6edc5c84cf1714a2c1c5075a4d37a1a4cd1202b904 |
|
MD5 | 96d15fd9e84f38b3123216fa77c18899 |
|
BLAKE2b-256 | a3abc46076772743f9192a1538a6c40701dc0d5c72dd8f9943f30e1dc5219785 |
File details
Details for the file oauth_redirect-0.1.0-py3-none-any.whl
.
File metadata
- Download URL: oauth_redirect-0.1.0-py3-none-any.whl
- Upload date:
- Size: 11.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 9410926960a8330fc515a9a3614e01d1960f825ce1343bb1cd5e74f1c282d0b3 |
|
MD5 | 566f91b79893de8a6af160a72c637ec3 |
|
BLAKE2b-256 | 4f7c8f5d5e411b4f1b6b7b09ad7cd2a646e83ba5e79514db818f50dffad6be34 |