How to best support dynamic redirect URIs (preview environments) #1487
Description
Is your feature request related to a problem? Please describe.
We are developing an application on render.com. This hosting service provides "preview environments". An isolated preview environment is created for every pull request (GitHub) and is accessible using a unique URL for the environment (the PR ID is in the subdomain). Our identity provider (Django OAuth Toolkit) is not part of the preview environment and is hosted elsewhere. To login to the app in the preview environment we need to update the allow redirect URIs on the OAuth application. It then looks something like so:
https://some-other-app/authn/callback
https://some-app-pr-174.onrender.com/authn/callback
https://some-app-pr-175.onrender.com/authn/callback
https://some-app-pr-176.onrender.com/authn/callback
...
These environments come and go so it is tedious to have to continually update the configuration.
Describe the solution you'd like
Currently, request URI is a string with space-separated URIs. If we were to allow a regular expression I could match the URI and allow URLs that match the expression.
I realize that allowing this is prone to error and possibly a foot-gun if someone allowed *.onrender.com. This would allow anyone on render.com to potentially hijack a token. :/
Describe alternatives you've considered
The only alternative I could come up with:
- A process that would populate allowed redirect URIs automatically. Each time a preview environment is created or destroyed it would be added/removed from redirect URIs.
- A process that creates an OAuth application for each preview environment. Hmmmm
I'm very interested if others have run into something similar and how they have solved it. :)
Additional context