Skip to main content

Securely redirects OAuth responses to known clients.

Project description

Description

During the OAuth workflow a webserver defined by redirect_uri receives the result of a the authorization given by the enduser.

This redirect_uri is usually a whitelisted uri to avoid phising attacks.

Unfortunately this makes it hard to write an OAuth integrated client to an API where the domain is not known in advance.

Faced with such a situation we wrote this server to move the decision of who can receive the result of an OAuth handshake from the OAuth provider to an intermediary.

How it Works

Using oauth_redirect the OAuth workflow works as follows:

  1. The oauth_redirect server is run on a TLS protected site. For example: https://oauth.seantis.ch.

  2. The OAuth provider is configured to allow redirects to https://oauth.seantis.ch/redirect.

  3. The client that wants to acquire the authorisation registers itself with the oauth_redirect server using a secret authentication code.

  4. The enduser is presented with the OAuth authorization site, with the redirect_uri set to https://oauth.seantis.ch/redirect.

  5. The result is sent to the oauth_redirect server, which will forward/proxy the request to the client, if and only if the client has registered itself before and the request from the OAuth provider contains a token to that effect.

Methods

POST /register/<authentication code>

Used by the client/authorisation seeker to register itself. The client is required to include a secret authentication code in the registration message.

The body of the POST request is a json in this form:

{
    'url': "The url that handles the forwarded OAuth response.",
    'ttl': "The optional time to live in seconds (defaults to 3600 seconds)",
    'secret': "A client-specific secret that should be used authenticate
    the forwarded request. If the request does not contain this secret,
    someone other than oauth_redirect has sent it."
}

Returns the token which needs to be passed by the OAuth provider:

{
    'token': "..."
}

POST /redirect

The endpoint communicated to the OAuth provider through the redirect_uri. To authenticate the request coming from the OAuth provider must contain the token given by /register/<authentication code>.

Usually OAuth providers provide some kind of of value that may be passed from the client to the redirect_uri. This value can be used to carry the token back to the oauth_redirect server.

If there is no such value, the token may also be passed by url, using query paramters (i.e. https://oauth.seantis.ch/redirect?token=…).

Any value will do, a value in a json body, a formdata value or a query parameter.

If the redirect request is accepted it is proxied to the registered url. The result of the /redirect request is the result of the proxied url.

If the request was accepted, it is deleted.

Deployment

The server is implemented using aiohttp. It requires at least Python 3.5.

Though it might be possible to implement TLS support on the oauth_redirect we recommend that you put it behind a proper web proxy like nginx/apache.

To run the server run:

oauth-redirect --host localhost --port 8080 --database registered --auth <your custom auth code>

Run the Tests

Install tox and run it:

pip install tox
tox

Limit the tests to a specific python version:

tox -e py27

Conventions

Oauth_redirect follows PEP8 as close as possible. To test for it run:

tox -e pep8

Oauth_redirect uses Semantic Versioning

Build Status

Build Status

Coverage

Project Coverage

Latest PyPI Release

Latest PyPI Release

License

oauth_redirect is released under GPLv2

Changelog

0.1.0 (2017-05-23)

  • Initial Release. [href]

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

oauth_redirect-0.1.0.tar.gz (7.4 kB view details)

Uploaded Source

Built Distribution

oauth_redirect-0.1.0-py3-none-any.whl (11.4 kB view details)

Uploaded Python 3

File details

Details for the file oauth_redirect-0.1.0.tar.gz.

File metadata

File hashes

Hashes for oauth_redirect-0.1.0.tar.gz
Algorithm Hash digest
SHA256 2f45b839c1ae4e214b5d2f6edc5c84cf1714a2c1c5075a4d37a1a4cd1202b904
MD5 96d15fd9e84f38b3123216fa77c18899
BLAKE2b-256 a3abc46076772743f9192a1538a6c40701dc0d5c72dd8f9943f30e1dc5219785

See more details on using hashes here.

File details

Details for the file oauth_redirect-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for oauth_redirect-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 9410926960a8330fc515a9a3614e01d1960f825ce1343bb1cd5e74f1c282d0b3
MD5 566f91b79893de8a6af160a72c637ec3
BLAKE2b-256 4f7c8f5d5e411b4f1b6b7b09ad7cd2a646e83ba5e79514db818f50dffad6be34

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page