Summary
Add a temporary per‑application toggle to allow legacy redirect prefix matching, defaulting to strict (exact) matching for new apps. Preserve legacy behavior for existing apps, with telemetry to support deprecation.
Scope
- Model: add ApiApplication.allow_redirect_prefix_match: bool (default False for new apps).
- Migration: backfill existing rows to True (legacy tolerance).
- Validation: update ApiApplication.is_valid_redirect_uri to allow prefix only when the field is True; keep existing info log on prefix acceptance and add a metric.
- No UI changes in this ticket (optional admin surfacing can be separate).
Acceptance Criteria
- New apps (field False) accept only exact redirect URI matches (normalized); prefix‑only URIs are rejected.
- Existing apps (field True) continue to accept prefix matches; an info log and metric are emitted on prefix acceptance.
- Migration applies cleanly; field visible on the model.
Test Plan (100% coverage on changed code paths)
- tests/sentry/models/test_apiapplication.py:
- Strict default: prefix match rejected for new app (field False).
- Legacy: prefix match accepted when field True; log/metric path exercised.
- Optionally add authorize‑view tests validating redirect handling in endpoint flow.
Rollout
- Field default False for new apps; backfill True for existing.
- Metric: increment oauth.redirect.prefix_match (tags: client_id/app_id).
- Document deprecation plan in oauth2.1‑plan.
Dependencies
Risks/Mitigations
- Risk: rejecting legitimate prefixes for new apps — mitigated by making field explicit and documenting exact URI requirements; RFC 8252 native app rules handled separately.
Summary
Add a temporary per‑application toggle to allow legacy redirect prefix matching, defaulting to strict (exact) matching for new apps. Preserve legacy behavior for existing apps, with telemetry to support deprecation.
Scope
Acceptance Criteria
Test Plan (100% coverage on changed code paths)
Rollout
Dependencies
Risks/Mitigations