Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

URL validation prevents custom native client callback

See original GitHub issue

Describe the problem you’d like to have solved

Today, the AuthApi.authorizeUrl method does validation for URLs using okhttp’s HttpUrl.parse which forces the callback to be either http or https. This prevents the callback being a custom URI scheme for native clients.

The use-case behind wanting support for this is we are moving our clients away from calling Auth0 directly (via the client SDKs) and knowing the details of Auth0 (clientIds, scopes, etc) and letting one dedicated/trusted backend own all that and call Auth0 (via this Java SDK). This means we do have scenarios where we will be calling this method and the callback will be a custom URI scheme for a native app.

Describe the ideal solution

Don’t enforce that the callback have a http or https scheme.

Alternatives and current work-arounds

A workaround would be to call this method as intended with a valid hard-coded https URL and then string replace that piece of it to the native app’s callback URL.

Additional information, if any

Issue Analytics

State:
Created a year ago
Reactions:1
Comments:6 (4 by maintainers)

Top GitHub Comments

1reaction

poovamrajcommented, May 20, 2022

Hi @dpromanko, We have released a new version (1.42.0) which should support this. Do let us know if you need any more help and thanks a lot for your contribution!

0reactions

dpromankocommented, May 18, 2022

@poovamraj PR has been opened. I’ll check back later today/tomorrow for feedback. I also see that the api-diff is failing on circleci but I have no idea what that is for so please let me know if I missed something that caused that.

Top Results From Across the Web

Defining a custom URL scheme for your app - Apple Developer

URL schemes offer a potential attack vector into your app, so make sure to validate all URL parameters and discard any malformed URLs....

ngrok callback URL validation failed - node.js - Stack Overflow

When i try to setup webhooks on facebook messenger the callback URL validation fails. enter image description here. check images for reference.

URL callback validator is overly strict for non-web clients #28

This validation is problematic for desktop applications. A desktop application has three approaches to using OAuth: Designate a custom URL ...

Redirect Users - Auth0

Redirect users to callback URLs on the AllowList ... Because callback URLs can be manipulated by unauthorized parties, Auth0 recognizes only URLs on...

Redirect URI (reply URL) restrictions - Microsoft Entra

Redirect URIs are case-sensitive and must match the case of the URL path of your running application. For example, if your application includes ......