Fief
Allow HTTP in public redirect URI #230
Replies: 3 comments 3 replies
-
|
From a security point-of-view, this would rather be dangerous. What is your specific use case that would require this? If it's really necessary, I'm open to add a specific environment variable to allow/disallow this at the server level. |
Beta Was this translation helpful? Give feedback.
-
|
At first, I didn't have HTTPS set up on my public server, but I'm not sure it was a good idea anyway. I could enable HTTPS, so it's not an issue anymore. |
Beta Was this translation helpful? Give feedback.
-
Clearly not 😄
Yeah, thinking about it, I'm quite convinced by this idea. |
Beta Was this translation helpful? Give feedback.
-
|
When developing locally using containers (e.g. Docker), it is quite a quite usual setup to have:
On the container network, each container can find the other container by using the container name as a host name. Allowing only HTTPS URIs to work makes some operations impossible inside that container network, such as using a redirect URI that points to e.g. That also creates difficulty if you are running a CI/CD workflow and the worker sets up those containers and need to run tests that create expendable, temporary user credentials, authenticates with those credentials, tests the applications functionality and then discards everything. In this case, the test environment for the worker could safely have this variable set to allow HTTP URIs, as the whole environment is created, used and then discarded, just for testing purposes. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for the supporting arguments! I'll add this enhancement to the roadmap! See #235 |
Beta Was this translation helpful? Give feedback.
-
|
Released in 0.26.3 |
Beta Was this translation helpful? Give feedback.
-
When creating a client in Fief's UI, an HTTPS URL is required in the redirect URI, if it's not the local host.
Would it be possible to allow HTTP?
Beta Was this translation helpful? Give feedback.
All reactions