Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't host an OAuth app and a PDS on the same site #3362

Open
bmillwood opened this issue Jan 13, 2025 · 1 comment
Open

Can't host an OAuth app and a PDS on the same site #3362

bmillwood opened this issue Jan 13, 2025 · 1 comment
Labels
bug Something isn't working

Comments

@bmillwood
Copy link

bmillwood commented Jan 13, 2025
edited
Loading

Describe the bug

I'm developing an app which uses Bluesky as an OAuth provider. My app's login page allows users to enter their Bluesky handle and click "log in". This then redirects them internally to a separate page on my app /auth/login/bluesky/start?handle=their.handle, which uses their handle to figure out their DID / PDS / authorization server, do the PAR request, and then 303 redirects them to the authorize URI so they can do the login flow.

I then see:

Forbidden sec-fetch-site header "same-site"

from (I think) oauth-provider.ts:1313.

The problem, as I eventually worked out (after some false hypotheses, see issue edit history if you're curious) is I'm self-hosting a PDS under the same domain as the OAuth app, so this is a same-site request for anyone using my PDS (admittedly currently just me).

Now, the impact of this is fairly small, but it doesn't seem so unnatural that sites invested in the Bluesky ecosystem are going to want to host both a PDS and an OAuth app, and with this check in place, they currently (as far as I can tell) can't use their own app.

I don't really understand what the Sec-Fetch-Site check is for, so I don't feel able to suggest it just be removed without learning a bit more about it first. But I'd be interested in hearing more about what it's for, so we can decide whether there's something appropriate to do here.

To Reproduce

Implement an OAuth app on the same site as your authorization server.

Expected behavior

It works (somehow).

Details

My PDS has these details:

  • Operating system: Ubuntu 22.04.5
  • Node version: v20.11.1

Additional context

I don't expect you to need to read my code, but it's here if you want it: https://github.com/bmillwood/flexiprocity/blob/88c2bf1346fbc1443e71e805078362e40dff0b70/auth-server/src/Bluesky.hs
@bmillwood bmillwood added the bug Something isn't working label Jan 13, 2025
@bmillwood bmillwood changed the title OAuth provider checking Sec-Fetch-Site causes me headaches Can't host an OAuth app and a PDS on the same site Jan 13, 2025
@bmillwood
Copy link
Author

I did some more research and have a different understanding of the cause of my problem now, so I've updated the issue.

bmillwood added a commit to bmillwood/flexiprocity that referenced this issue Jan 13, 2025
@bmillwood
Revert "work around Sec-Fetch-Site check"
e11c132 
This was based on a misunderstanding of what the problem was. I'm still
a bit unclear on how Sec-Fetch-Site interacts with redirects, but even
if I do work around that, the reciprocity to OAuth redirect *is* a
same-site redirect for me in particular.

See bluesky-social/atproto#3362

This reverts commit 8d4046a.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bmillwood