Details
-
Bug
-
Resolution: Fixed
-
P2: Important
-
6.7.3, 6.8.0
-
Windows 10 22H2
-
5
-
b1e67440a (dev), 6e08270c0 (dev), b67d48dbc (6.8)
-
Foundation Sprint 118, Foundation Sprint 119, Foundation Sprint 120, Foundation Sprint 121
Description
Suppose we construct a reply handler like this:
auto handler = new QOAuthHttpServerReplyHandler(55555, this);
- Qt 6.6.3 would set the redirect URI to "http://127.0.0.1:55555" (Expected)
- Qt 6.7 and newer would set the redirect URI to "http://localhost:55555" (Not Expected)
Even using an explicit host address still results in "localhost" being used in the redirect URI:
auto handler = new QOAuthHttpServerReplyHandler(QHostAddress("127.0.0.1"), redirectUriPort, this); // Doens't work either...
This change
- ...goes against https://tools.ietf.org/html/rfc8252#section-8.3 which specifically says that using "localhost" is NOT RECOMMENDED
- ...reversed the fix for
QTBUG-67528 - ...prevents authentication from succeeding when the server is only configured to accept "127.0.0.1" (for example, Google's OAuth2 server will reply with "Error 400: redirect_uri_mismatch")
Attachments
Issue Links
- replaces
-
QTBUG-67528 Use 127.0.0.1 instead of localhost for redirect_uri in QOAuth2AuthorizationCodeFlow
-
- Closed
-