Skip to content

fix: allow custom URI schemes in OAuth Dynamic Client Registration #2286

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ItsYash1421 wants to merge 6 commits into
base: master
Choose a base branch
from
Open

fix: allow custom URI schemes in OAuth Dynamic Client Registration #2286

ItsYash1421 wants to merge 6 commits into from

Conversation

@ItsYash1421
Copy link

@ItsYash1421 ItsYash1421 commented Dec 9, 2025

What kind of change does this PR introduce?

Bug fix - Fixes OAuth Dynamic Client Registration to support custom URI schemes

What is the current behavior?

Issue: #2285

The OAuth 2.0 Dynamic Client Registration endpoint (POST /oauth/clients/register) rejects custom URI schemes (e.g., cursor://, exp://, myapp://) even when they are explicitly whitelisted in the additional_redirect_urls configuration or GOTRUE_URI_ALLOW_LIST environment variable.

Current Error

{
  "code": 400,
  "error_code": "validation_failed",
  "msg": "400: invalid redirect_uri 'cursor://anysphere.cursor-mcp/callback': scheme must be HTTPS or HTTP (localhost only)"
}

Root Cause

The OAuth server's client registration logic uses strict validation that only allows http and https schemes, which is inconsistent with PR #711 that relaxed this validation for general auth flows to support native applications.

What is the new behavior?

The OAuth server now uses the same allow-list-based validation as the rest of the auth system (introduced in PR #711). Custom URI schemes work when explicitly configured in the allow list.

Test Results

All validation tests pass successfully:

![Test Results]
Screenshot 2025-12-09 at 12 06 06 PM
Screenshot 2025-12-09 at 12 06 27 PM
Screenshot 2025-12-09 at 12 06 45 PM

PASS: TestValidateRequestOrigin (9 test cases)
PASS: TestValidateRequestOriginEdgeCases (5 test cases)
PASS: TestInferClientTypeFromAuthMethod (5 test cases)
PASS: TestGetValidAuthMethodsForClientType (4 test cases)
PASS: TestValidateClientTypeConsistency (8 test cases)
PASS: TestDetermineClientType (7 test cases)
PASS: TestIsValidAuthMethodForClientType (7 test cases)
PASS: TestValidateClientAuthentication (5 test cases)
PASS: TestGetAllValidAuthMethods

Total: 8 test suites, 40+ test cases - ALL PASS

Additional context

Changes Made

Files Modified:

  1. internal/api/oauthserver/service.go (~40 lines)

    • Changed validateRedirectURI() to use utilities.IsRedirectURLValid()
    • Updated validation methods to be Server methods for config access
    • Modified validate() methods to accept *Server parameter

  2. internal/api/oauthserver/service_test.go (~80 lines)

    • Updated TestRedirectURIValidation() to use new method signature
    • Added comprehensive TestCustomURISchemes() test
    • Updated SetupTest() to configure test URIs

References

@ItsYash1421 ItsYash1421 requested a review from a team as a code owner December 9, 2025 06:59
depthfirst-app[bot]
depthfirst-app bot reviewed Dec 9, 2025
View reviewed changes
depthfirst-app[bot]
depthfirst-app bot reviewed Dec 9, 2025
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@depthfirst-app depthfirst-app[bot] depthfirst-app[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ItsYash1421 @YashKumarMeena001