Api: Allow HTTP protocol for Redirect URL

Created on 21 Nov 2017  路  7Comments  路  Source: Bungie-net/api

Consider allowing HTTP protocol for Redirect URL, at least for localhost.
Currently I'm writing a library with Qt to communicate with the API, and the way OAuth is currently implemented in Qt is in such a way that it always assumes the Redirect URL to be "localhost:port".

Perhaps I'm wrong, but I don't think it is a big issue to have HTTP at least for localhost?

picture xarxer
👍1

All 7 comments

In Qt you can implement your own ReplyHandler for https, but then the browser will complain about invalid certificate.
Google offers support for urn:ietf:wg:oauth:2.0:oob as redirect url, but Bungie does not seem to support that either.

But the easier would be indeed to support http for localhost. Also it would be nice to allow every port for localhost, because the port can be chosen dynamically when the application start on the user device.

EDIT
I've made it work using Qt using a custom URL scheme.

The easiest solution is to use Qt WebEngine and then catch the callback by using QWebEngineUrlSchemeHandler. This works well, but Qt does not give you access to the token answer so you do not get the membership id directly, you need to make an API call. However, Bungie explicitly discourages this strategy.

Another solution is to use the system browser (QDesktopServices::openUrl()). But this requires registering the custom scheme to the OS (i.e add some values in Windows registry or add a .desktop file in Linux) and doing some IPC, as the OS will start a new process to handle the callback URL. Another downside it that there is no way to close the browser tab once the access has been granted and the user is left with a blank browser tab... It would be nice in Bungie would add some content like "You have logged in successfully in App".

If you want to see an implementation of both strategies, take a look at my code. OAuthSchemeReplyHandler uses Qt WebEngine and OAuthSystemReplyHandler uses the system browser.

bterrier picture bterrier on 1 Dec 2017
👍1

Glad you found a work around.

Tetron-bng picture Tetron-bng on 6 Dec 2017
😕1

@Tetron-bng It is NOT a proper work around.

Without HTTP allowed, either we have to use in app webview or leave the user with a blank browser tab. This is no acceptable.

Please either allow HTTP for localhost or provide a nice page for the user after login.

bterrier picture bterrier on 6 Dec 2017

I agree. It is not a workaround; it's more of a hack to circumvent the restrictions.
Bungie says HTTP is not allowed, so we just set "localhost:xyz" as redirect URI, and then manually add the HTTP part during authentication. So the "restriction" is not working for localhost anyway.

xarxer picture xarxer on 7 Dec 2017

This is also a problem for me. Attempting to use Flutter and its workaround after workaround to get past the OAuth2 side of things as well as well as the HTTP vs HTTPS issue.

Hmaal picture Hmaal on 22 Sep 2018

I and my dev groups use this every day for local ssl.
https://medium.freecodecamp.org/how-to-get-https-working-on-your-local-development-environment-in-5-minutes-7af615770eec
I hope it works for you.

nine13tech picture nine13tech on 22 Sep 2018

Thanks nine13tech, but I would need something that works for setting it up on the device dynamically in Dart.

Hmaal picture Hmaal on 24 Sep 2018
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

pancakeslp picture pancakeslp  路  3Comments
justrealmilk picture justrealmilk  路  3Comments
mikewojtkiewicz picture mikewojtkiewicz  路  3Comments
MrCodyMiller picture MrCodyMiller  路  3Comments
andyschott picture andyschott  路  3Comments