[PR #261] [MERGED] [Plugins] [Auth] [oauth2] Support identity platforms with underlying IDPs #186

New Issue

adam · 2025-12-29T08:31:58+01:00

adam commented

2025-12-29 08:31:58 +01:00

📋 Pull Request Information

Original PR: https://github.com/mountain-loop/yaak/pull/261
Author: @Blond11516
Created: 10/4/2025
Status: ✅ Merged
Merged: 10/18/2025
Merged by: @gschier

Base: main ← Head: plugin/auth-oauth2/support-identity-platform-with-idp

📝 Commits (4)

6ee8ce6 [plugin/oauth2] Support identity platforms authenticating through other IDPs
3de1f81 Merge branch 'main' into plugin/auth-oauth2/support-identity-platform-with-idp
5bbb1ee Better redirect matching
9146879 Catch another edge case

📊 Changes

5 files changed (+200 additions, -22 deletions)

View changed files

📝 plugins/auth-oauth2/package.json (+2 -1)
📝 plugins/auth-oauth2/src/grants/authorizationCode.ts (+8 -9)
📝 plugins/auth-oauth2/src/index.ts (+1 -12)
📝 plugins/auth-oauth2/src/util.ts (+80 -0)
➕ plugins/auth-oauth2/tests/util.test.ts (+109 -0)

📄 Description

When using an identity platform (such as AWS Cognito) authenticating through another IDP (such as Google) with OAuth 2, Yaak's OAuth 2 plugin picks up the code sent from the IDP to the identity platform, rather than that sent by the identity platform to Yaak.

By checking that the current navigation URL matches the provided redirect URI, we can make sure to use only the code intended for Yaak, no matter how many OAuth 2 loops there might be.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/mountain-loop/yaak/pull/261 **Author:** [@Blond11516](https://github.com/Blond11516) **Created:** 10/4/2025 **Status:** ✅ Merged **Merged:** 10/18/2025 **Merged by:** [@gschier](https://github.com/gschier) **Base:** `main` ← **Head:** `plugin/auth-oauth2/support-identity-platform-with-idp` --- ### 📝 Commits (4) - [`6ee8ce6`](https://github.com/mountain-loop/yaak/commit/6ee8ce6c58ab0818bc44e58a6c1885a0be1b6086) [plugin/oauth2] Support identity platforms authenticating through other IDPs - [`3de1f81`](https://github.com/mountain-loop/yaak/commit/3de1f81ee928922451fda6e39eedbda042096718) Merge branch 'main' into plugin/auth-oauth2/support-identity-platform-with-idp - [`5bbb1ee`](https://github.com/mountain-loop/yaak/commit/5bbb1eec3c004b2ee3cbbff251c21518ee8bc1b0) Better redirect matching - [`9146879`](https://github.com/mountain-loop/yaak/commit/91468790def697616063255fab2d48e222dfb893) Catch another edge case ### 📊 Changes **5 files changed** (+200 additions, -22 deletions) <details> <summary>View changed files</summary> 📝 `plugins/auth-oauth2/package.json` (+2 -1) 📝 `plugins/auth-oauth2/src/grants/authorizationCode.ts` (+8 -9) 📝 `plugins/auth-oauth2/src/index.ts` (+1 -12) 📝 `plugins/auth-oauth2/src/util.ts` (+80 -0) ➕ `plugins/auth-oauth2/tests/util.test.ts` (+109 -0) </details> ### 📄 Description When using an identity platform (such as AWS Cognito) authenticating through another IDP (such as Google) with OAuth 2, Yaak's OAuth 2 plugin picks up the code sent from the IDP to the identity platform, rather than that sent by the identity platform to Yaak. By checking that the current navigation URL matches the provided redirect URI, we can make sure to use only the code intended for Yaak, no matter how many OAuth 2 loops there might be. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

adam added the pull-request label 2025-12-29 08:31:58 +01:00

adam closed this issue

2025-12-29 08:31:58 +01:00

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/yaak-mountain-loop#186