OIDC callback is always HTTPS, even when entered as HTTP
Forceu opened this issue · 1 comments
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
No response
Describe the bug
I am not sure if this is related to this project or Authelia, therefore I opened this issue here as well. The original issue can be found at authelia/authelia#6559
I am testing a local application, that has the callback set to http://127.0.0.1:53842/oauth-callback
Authelia however redirects the output after granting the login to httpS://127.0.0.1:53842/oauth-callback
According to the OIDC draft specs, http may be allowed:
redirect_uri
REQUIRED. Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described in Section 6.2.1 of [RFC3986] (Simple String Comparison). When using this flow, the Redirection URI SHOULD use the https scheme; however, it MAY use the http scheme, provided that the Client Type is confidential, as defined in Section 2.1 of OAuth 2.0, and provided the OP allows the use of http Redirection URIs in this case. The Redirection URI MAY use an alternate scheme, such as one that is intended to identify a callback into a native application.
This would be a problem for applications not running on a webserver, e.g. on the users device
Reproducing the bug
- Create a client with a HTTP callback in Authelia
- Get redirected to HTTPS
Relevant log output
No response
Relevant configuration
No response
Version
0.44.0
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Docker
Additional Context
No response
Not related to this project