Skip to content

Respect client-requested redirect_uri in OAuth flow#1248

Merged
CollinBeczak merged 1 commit into
mainfrom
fix-oauth-redirect-domain
Jun 29, 2026
Merged

Respect client-requested redirect_uri in OAuth flow#1248
CollinBeczak merged 1 commit into
mainfrom
fix-oauth-redirect-domain

Conversation

@CollinBeczak

Copy link
Copy Markdown
Contributor

The OAuth redirect_uri was hardcoded to config.getMRFrontend in both the authorize request and the token exchange, so a login started on any frontend (e.g. beta.maproulette.org) sharing this backend would be redirected to the backend's single configured frontend after authenticating with OSM.

Both /auth/authenticate and /auth/callback now accept a redirectUri parameter and fall back to the request's Origin header, then the configured frontend. OSM validates redirect_uri against the OAuth app's registered URIs, so no local allowlist is needed.

The OAuth redirect_uri was hardcoded to config.getMRFrontend in both the
authorize request and the token exchange, so a login started on any frontend
(e.g. beta.maproulette.org) sharing this backend would be redirected to the
backend's single configured frontend after authenticating with OSM.

Both /auth/authenticate and /auth/callback now accept a redirectUri parameter
and fall back to the request's Origin header, then the configured frontend.
OSM validates redirect_uri against the OAuth app's registered URIs, so no
local allowlist is needed.

@jake-low jake-low left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for implementing this!

This has an additional benefit which isn't mentioned in the PR description: with this change, it'll be possible to use OAuth login when running the frontend locally (i.e. during development) while it's configured to talk to the production backend. Currently this is possible only by setting REACT_APP_SERVER_API_KEY (in maproulette3) or VITE_SERVER_API_KEY (in maproulette4) to your user account's API key before starting the frontend.

@CollinBeczak CollinBeczak merged commit c3df7e1 into main Jun 29, 2026
9 checks passed
@CollinBeczak CollinBeczak deleted the fix-oauth-redirect-domain branch June 29, 2026 20:21
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants