b/176762319: remove authorizationUrl redirect #824
Conversation
Signed-off-by: Wayne Zhang <[email protected]>
|
@qiwzhang @nareddyt @TAOXUY, this fueature shoudn't have been removed, as 'authorizationUrl' is a required parameter by the OpenAPI Specification https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#securityDefinitionsObject, furthemore if I'm using other authentication systems like (Auth0, Firebase) I should have the functionality to send not authenticated users to the authentication portal. please let me know if I should create a Issue or reopen the previous one. |
|
OK, let us add his feature back under a flag. My judgement is: most people don't use it, but they get confused when we redirect to that URL silently. For the new users that want the redirect feature, they can enable it explicitly. BTW, ESPv2 doesn't have this feature, we need to add it to ESPv2 too. |
This reverts commit 621211d.
* Revert "remove authorizationUrl redirect (#824)" This reverts commit 621211d. * Add redirect_authorization_url flag Signed-off-by: Wayne Zhang <[email protected]> * rename the flag Signed-off-by: Wayne Zhang <[email protected]>
Signed-off-by: Wayne Zhang [email protected]
This was added as a "feature" 4 years ago by #228
It really is a bug. If a user accidentally set authorizationUrl in the openapi spec, ESP auth will behave wrong.
b/176762319:another user run into this problem.
I added this "feature" for Flex team, but I don't think they are using it.
I don't think anybody is using this feature either since it is not documented. It was designed for OAuth flow, but it is not complete, it requires more query parameters from JWT token during 302 redirect.