fix(oidc): use single web_origin for login redirects, not the cors_origin list

YousifShkara commented

2026-06-03 01:49:26 +02:00

Owner

The /oauth2/authorize handler and the auth_redirect handlers both build a login_url by concatenating cors_origin + "/login". That worked when CORS_ORIGIN held a single URL. Once multiple RPs register (bunyip-web + mokosh-apps + drillmark on c-01), CORS_ORIGIN is a comma-list and the format!() produces garbage (literally "https://a8n.systems,https://msp.a8n.systems,https://drillmark.a8n.systems/login?..."). Browsers either fail to navigate or end up somewhere they shouldn't.

Split out a new Config.web_origin field, populated from BUNYIP_WEB_ORIGIN with a fallback to the first entry of CORS_ORIGIN (so single-RP self-hosters and dev keep working without setting a new env). The OIDC authorize handler and the two auth_redirect handlers in bunyip-api/src/handlers/auth.rs now consume web_origin for both the login URL build and the Url::parse-based allowed-domain check (Url::parse on a comma-list returns None, which silently turned the check into "always reject").

Operators on multi-RP deploys (c-01) must set BUNYIP_WEB_ORIGIN=https://a8n.systems in compose-variables alongside the existing CORS_ORIGIN. Docker-side env switch is a separate PR on docker repo.

Symptom this fixes: after merging the bunyip-as-OP cutover on c-01, signing in at bunyip-web landed users on /dashboard instead of returning them to msp.a8n.systems via the OIDC code-exchange. Caused by the malformed login_url breaking the authorize -> login -> authorize round-trip.

The /oauth2/authorize handler and the auth_redirect handlers both build a login_url by concatenating cors_origin + "/login". That worked when CORS_ORIGIN held a single URL. Once multiple RPs register (bunyip-web + mokosh-apps + drillmark on c-01), CORS_ORIGIN is a comma-list and the format!() produces garbage (literally "https://a8n.systems,https://msp.a8n.systems,https://drillmark.a8n.systems/login?..."). Browsers either fail to navigate or end up somewhere they shouldn't. Split out a new Config.web_origin field, populated from BUNYIP_WEB_ORIGIN with a fallback to the first entry of CORS_ORIGIN (so single-RP self-hosters and dev keep working without setting a new env). The OIDC authorize handler and the two auth_redirect handlers in bunyip-api/src/handlers/auth.rs now consume web_origin for both the login URL build and the Url::parse-based allowed-domain check (Url::parse on a comma-list returns None, which silently turned the check into "always reject"). Operators on multi-RP deploys (c-01) must set BUNYIP_WEB_ORIGIN=https://a8n.systems in compose-variables alongside the existing CORS_ORIGIN. Docker-side env switch is a separate PR on docker repo. Symptom this fixes: after merging the bunyip-as-OP cutover on c-01, signing in at bunyip-web landed users on /dashboard instead of returning them to msp.a8n.systems via the OIDC code-exchange. Caused by the malformed login_url breaking the authorize -> login -> authorize round-trip.

YousifShkara self-assigned this

2026-06-03 01:49:26 +02:00

YousifShkara added 1 commit

2026-06-03 01:49:26 +02:00

fix(oidc): use single web_origin for login redirects, not the cors_origin list

Create release / Create release from merged PR (pull_request) Has been skipped

Details

Check / fmt / clippy / build / test (pull_request) Successful in 1m13s

Details

b004bd223b

The /oauth2/authorize handler and the auth_redirect handlers both build a login_url by concatenating cors_origin + "/login". That worked when CORS_ORIGIN held a single URL. Once multiple RPs register (bunyip-web + mokosh-apps + drillmark on c-01), CORS_ORIGIN is a comma-list and the format!() produces garbage (literally "https://a8n.systems,https://msp.a8n.systems,https://drillmark.a8n.systems/login?..."). Browsers either fail to navigate or end up somewhere they shouldn't.

Split out a new Config.web_origin field, populated from BUNYIP_WEB_ORIGIN with a fallback to the first entry of CORS_ORIGIN (so single-RP self-hosters and dev keep working without setting a new env). The OIDC authorize handler and the two auth_redirect handlers in bunyip-api/src/handlers/auth.rs now consume web_origin for both the login URL build and the Url::parse-based allowed-domain check (Url::parse on a comma-list returns None, which silently turned the check into "always reject").

Operators on multi-RP deploys (c-01) must set BUNYIP_WEB_ORIGIN=https://a8n.systems in compose-variables alongside the existing CORS_ORIGIN. Docker-side env switch is a separate PR on docker repo.

Symptom this fixes: after merging the bunyip-as-OP cutover on c-01, signing in at bunyip-web landed users on /dashboard instead of returning them to msp.a8n.systems via the OIDC code-exchange. Caused by the malformed login_url breaking the authorize -> login -> authorize round-trip.

YousifShkara merged commit 8569ee70e4 into main

2026-06-03 01:49:32 +02:00

YousifShkara deleted branch fix/bunyip-web-origin-for-oidc-login-redirect

2026-06-03 01:49:33 +02:00

YousifShkara referenced this pull request from a commit

2026-06-03 01:49:34 +02:00

Merge pull request 'fix(oidc): use single web_origin for login redirects, not the cors_origin list' (#42) from fix/bunyip-web-origin-for-oidc-login-redirect into main

Rows
Columns

fix(oidc): use single web_origin for login redirects, not the cors_origin list #42