refactor: loose redirect uri restrictions (#6846)

* refactor: loose redirect uri restrictions

* refactor: fix types and add tests

* chore: add changeset

Author: gao-sun

.changeset/nervous-apes-suffer.md

@@ -0,0 +1,20 @@
+---
+"@logto/integration-tests": patch
+"@logto/core-kit": patch
+"@logto/console": patch
+"@logto/phrases": patch
+"@logto/core": patch
+---
+
+loose redirect uri restrictions
+
+Logto has been following the industry best practices for OAuth2.0 and OIDC from the start. However, in the real world, there are things we cannot control, like third-party services or operation systems like Windows.
+
+This update relaxes restrictions on redirect URIs to allow the following:
+
+1. A mix of native and HTTP(S) redirect URIs. For example, a native app can now use a redirect URI like `https://example.com`.
+2. Native schemes without a period (`.`). For example, `myapp://callback` is now allowed.
+
+When such URIs are configured, Logto Console will display a prominent warning. This change is backward-compatible and will not affect existing applications.
+
+We hope this change will make it easier for you to integrate Logto with your applications.

packages/console/src/pages/ApplicationDetails/ApplicationDetailsContent/Settings.tsx

@@ -8,6 +8,7 @@ import FormCard from '@/components/FormCard';
 import MultiTextInputField from '@/components/MultiTextInputField';
 import CodeEditor from '@/ds-components/CodeEditor';
 import FormField from '@/ds-components/FormField';
+import InlineNotification from '@/ds-components/InlineNotification';
 import type { MultiTextInputRule } from '@/ds-components/MultiTextInput/types';
 import {
   convertRhfErrorMessage,
@@ -19,8 +20,33 @@ import useDocumentationUrl from '@/hooks/use-documentation-url';
 import { isJsonObject } from '@/utils/json';
 
 import ProtectedAppSettings from './ProtectedAppSettings';
+import styles from './index.module.scss';
 import { type ApplicationForm } from './utils';
 
+const hasMixedUriProtocols = (applicationType: ApplicationType, uris: string[]): boolean => {
+  switch (applicationType) {
+    case ApplicationType.Native: {
+      return uris.some((uri) => validateRedirectUrl(uri, 'web'));
+    }
+    case ApplicationType.Traditional:
+    case ApplicationType.SPA: {
+      return uris.some((uri) => validateRedirectUrl(uri, 'mobile'));
+    }
+    default: {
+      return false;
+    }
+  }
+};
+
+function MixedUriWarning() {
+  const { t } = useTranslation(undefined, { keyPrefix: 'admin_console' });
+  return (
+    <InlineNotification severity="alert" className={styles.mixedUriWarning}>
+      {t('application_details.mixed_redirect_uri_warning')}
+    </InlineNotification>
+  );
+}
+
 type Props = {
   readonly data: Application;
 };
@@ -31,19 +57,27 @@ function Settings({ data }: Props) {
   const {
     control,
     register,
+    watch,
     formState: { errors },
   } = useFormContext<ApplicationForm>();
 
   const { type: applicationType } = data;
 
-  const isNativeApp = applicationType === ApplicationType.Native;
   const isProtectedApp = applicationType === ApplicationType.Protected;
   const uriPatternRules: MultiTextInputRule = {
     pattern: {
-      verify: (value) => !value || validateRedirectUrl(value, isNativeApp ? 'mobile' : 'web'),
+      verify: (value) =>
+        !value || validateRedirectUrl(value, 'web') || validateRedirectUrl(value, 'mobile'),
       message: t('errors.invalid_uri_format'),
     },
   };
+  const redirectUris = watch('oidcClientMetadata.redirectUris');
+  const postLogoutRedirectUris = watch('oidcClientMetadata.postLogoutRedirectUris');
+  const showRedirectUriMixedWarning = hasMixedUriProtocols(applicationType, redirectUris);
+  const showPostLogoutUriMixedWarning = hasMixedUriProtocols(
+    applicationType,
+    postLogoutRedirectUris
+  );
 
   if (isProtectedApp) {
     return <ProtectedAppSettings data={data} />;
@@ -113,6 +147,7 @@ function Settings({ data }: Props) {
           )}
         />
       )}
+      {showRedirectUriMixedWarning && <MixedUriWarning />}
       {applicationType !== ApplicationType.MachineToMachine && (
         <Controller
           name="oidcClientMetadata.postLogoutRedirectUris"
@@ -133,6 +168,7 @@ function Settings({ data }: Props) {
           )}
         />
       )}
+      {showPostLogoutUriMixedWarning && <MixedUriWarning />}
       {applicationType !== ApplicationType.MachineToMachine && (
         <Controller
           name="customClientMetadata.corsAllowedOrigins"

packages/console/src/pages/ApplicationDetails/ApplicationDetailsContent/index.module.scss

@@ -22,3 +22,7 @@
     display: flex;
   }
 }
+
+.mixedUriWarning {
+  margin-block-start: _.unit(2);
+}

packages/core/package.json

@@ -81,15 +81,15 @@
     "lru-cache": "^11.0.0",
     "nanoid": "^5.0.1",
     "node-forge": "^1.3.1",
-    "oidc-provider": "^8.4.6",
+    "oidc-provider": "github:logto-io/node-oidc-provider#de2d8fd68e91b76d71fb910d44142f9eccd844bc",
     "openapi-types": "^12.1.3",
     "otplib": "^12.0.1",
     "p-map": "^7.0.2",
     "p-retry": "^6.0.0",
     "pg-protocol": "^1.6.0",
     "pluralize": "^8.0.0",
     "qrcode": "^1.5.3",
-    "raw-body": "^2.5.2",
+    "raw-body": "^3.0.0",
     "redis": "^4.6.14",
     "roarr": "^7.11.0",
     "samlify": "2.8.11",
@@ -116,7 +116,7 @@
     "@types/koa__cors": "^5.0.0",
     "@types/node": "^20.9.5",
     "@types/node-forge": "^1.3.1",
-    "@types/oidc-provider": "^8.4.4",
+    "@types/oidc-provider": "^8.5.2",
     "@types/pluralize": "^0.0.33",
     "@types/qrcode": "^1.5.2",
     "@types/semver": "^7.3.12",

packages/core/src/event-listeners/index.ts

@@ -1,4 +1,4 @@
-import type Provider from 'oidc-provider';
+import type { Provider } from 'oidc-provider';
 
 import type Queries from '#src/tenants/Queries.js';
 import { getConsoleLogFromContext } from '#src/utils/console.js';

packages/core/src/include.d/oidc-provider/lib-keep/helpers/filter_claims.d.ts

@@ -1,7 +1,6 @@
 // https://github.com/panva/node-oidc-provider/blob/cf2069cbb31a6a855876e95157372d25dde2511c/lib/helpers/filter_claims.js
 declare module 'oidc-provider/lib/helpers/filter_claims.js' {
-  import { type ClaimsParameter } from 'oidc-provider';
-  import type Provider from 'oidc-provider';
+  import type { ClaimsParameter, Provider } from 'oidc-provider';
 
   export default function filterClaims(
     source: ClaimsParameter | undefined,

packages/core/src/include.d/oidc-provider/lib-keep/helpers/weak_cache.d.ts

@@ -1,5 +1,5 @@
 declare module 'oidc-provider/lib/helpers/weak_cache.js' {
-  import type Provider, { type Configuration } from 'oidc-provider';
+  import type { Provider, Configuration } from 'oidc-provider';
 
   /** Deeply make all properties of a record required. */
   type DeepRequired<T> = T extends Record<string | number | symbol, unknown>

packages/core/src/libraries/session.test.ts

@@ -1,6 +1,6 @@
 import { type User } from '@logto/schemas';
 import { generateStandardId } from '@logto/shared';
-import type Provider from 'oidc-provider';
+import type { Provider } from 'oidc-provider';
 
 import { mockUser } from '#src/__mocks__/user.js';
 import type Queries from '#src/tenants/Queries.js';

packages/core/src/libraries/session.ts

@@ -1,7 +1,6 @@
 import { conditional } from '@silverhand/essentials';
 import type { Context } from 'koa';
-import type { InteractionResults, PromptDetail } from 'oidc-provider';
-import type Provider from 'oidc-provider';
+import type { InteractionResults, PromptDetail, Provider } from 'oidc-provider';
 import { z } from 'zod';
 
 import type Queries from '#src/tenants/Queries.js';

packages/core/src/middleware/koa-auth/koa-oidc-auth.test.ts

@@ -1,7 +1,7 @@
 import { pickDefault } from '@logto/shared/esm';
 import type { Context } from 'koa';
 import type { IRouterParamContext } from 'koa-router';
-import Provider from 'oidc-provider';
+import { Provider } from 'oidc-provider';
 import Sinon from 'sinon';
 
 import RequestError from '#src/errors/RequestError/index.js';