feat(oauth): Add strict redirect URI validation mode by dcramer · Pull Request #99003 · getsentry/sentry

dcramer · 2025-09-06T22:56:30Z

Introduces version-gated exact redirect URI matching per OAuth 2.0 spec.

Exact match required for version 1+ apps (RFC 6749 §3.1.2.3)
Loopback ephemeral port exception for native apps (RFC 8252)
Legacy prefix-matching preserved for version 0 apps

Refs:

Related: #99002

github-actions · 2025-09-06T22:58:42Z

This PR has a migration; here is the generated SQL for src/sentry/migrations/0974_add_allow_redirect_prefix_match.py

for 0974_add_allow_redirect_prefix_match in sentry

--
-- Add field allow_redirect_prefix_match to apiapplication
--
ALTER TABLE "sentry_apiapplication" ADD COLUMN "allow_redirect_prefix_match" boolean DEFAULT false NOT NULL;
--
-- Raw Python operation
--
-- THIS OPERATION CANNOT BE WRITTEN AS SQL

dcramer · 2025-09-06T23:02:37Z

Open to changing the migration here, and while it has the chance to cause a minor blip for some folks, its hugely unlikely and saves us from having to make sure any paths that update the apps are also updated to write the actual-default

dcramer · 2025-09-06T23:06:35Z

oh one other open q: can you use a diff db_default vs default and have it do what you might want here? e.g. db_default=True, default=False, and have new entries created via the app be inverted? I dont recall how all this works

aside this table should be tiny which is why i didnt bother with nullable ddl

codecov · 2025-09-06T23:17:09Z

Codecov Report

❌ Patch coverage is 83.87097% with 5 lines in your changes missing coverage. Please review.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
src/sentry/models/apiapplication.py	83.87%	5 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #99003      +/-   ##
==========================================
- Coverage   81.29%   81.28%   -0.01%     
==========================================
  Files        8545     8545              
  Lines      377549   377688     +139     
  Branches    23999    23999              
==========================================
+ Hits       306923   307003      +80     
- Misses      70275    70334      +59     
  Partials      351      351

dcramer · 2025-09-07T17:23:03Z

I'm actually considering just adding a versioning flag to the api application, as theres going to be a ton of minor incompatible changes and we wont want flags for each one. This one is kind of ok, and may be one of the few that has real consequences, but for example theres things like 'implicit' grants being deprecated etc.

dcramer · 2025-09-09T16:48:57Z

I'm going to swap to a version field - otherwise we need to add a bitflag here and id pref to avoid that unless really needed. We'll then give folks a time window (if needed) and deprecate the legacy applications (force upgrade them).

Will keep the logging pattern for any legacy/future-unsupported behavior.

#99002 (comment)

github-actions · 2025-09-09T17:20:18Z

This PR has a migration; here is the generated SQL for src/sentry/migrations/0976_add_apiapplication_version.py

for 0976_add_apiapplication_version in sentry

--
-- Add field version to apiapplication
--
ALTER TABLE "sentry_apiapplication" ADD COLUMN "version" integer DEFAULT 0 NOT NULL CHECK ("version" >= 0);
CREATE INDEX CONCURRENTLY "sentry_apiapplication_version_aeec73fd" ON "sentry_apiapplication" ("version");

dcramer · 2025-09-10T15:15:57Z

@oioki oof ancient PR - if theres any others your aware of, or low hanging fruit that just couldnt get pushed through lmk happy to help

Add `allow_redirect_prefix_match` field to ApiApplication model to control redirect URI validation behavior. When False (default for new apps), redirect URIs must match exactly. When True (migrated existing apps), legacy prefix matching is allowed. This improves OAuth security by preventing redirect URI manipulation attacks while maintaining backward compatibility for existing applications. Fixes #99001

github-actions · 2025-09-11T13:53:30Z

This PR has a migration; here is the generated SQL for src/sentry/migrations/0979_add_apiapplication_version.py

for 0979_add_apiapplication_version in sentry

--
-- Add field version to apiapplication
--
ALTER TABLE "sentry_apiapplication" ADD COLUMN "version" integer DEFAULT 0 NOT NULL CHECK ("version" >= 0);
CREATE INDEX CONCURRENTLY "sentry_apiapplication_version_aeec73fd" ON "sentry_apiapplication" ("version");

wedamija · 2025-09-11T21:13:49Z

+    # defaults accordingly.
+    version = BoundedPositiveIntegerField(
+        default=0,
+        db_index=True,


Will we be querying on version directly, or on some compound key?

wedamija · 2025-09-11T21:14:06Z

+    # default and db_default to 1 and add a migration to update the field
+    # defaults accordingly.
+    version = BoundedPositiveIntegerField(
+        default=0,


You don't need to set both default and db_default. I'd just go with db_default here.

dcramer · 2025-09-11T21:17:43Z

🙏 ty @mdtro

dcramer · 2025-09-11T21:19:55Z

just realzed after merging, but lets come back and delete the index later - i doubt we really need it so its a waste of memory

can do it as part of the final migration where we update the versions

dcramer requested a review from a team as a code owner September 6, 2025 22:56

github-actions Bot added the Scope: Backend Automatically applied to PRs that change backend components label Sep 6, 2025

vercel Bot deployed to Preview September 6, 2025 22:58 View deployment

dcramer force-pushed the oauth-redirect-uri-exact branch from 8c03738 to 2fe97d0 Compare September 6, 2025 23:04

vercel Bot deployed to Preview September 6, 2025 23:06 View deployment

dcramer force-pushed the oauth-redirect-uri-exact branch from 2fe97d0 to 45b4389 Compare September 6, 2025 23:07

vercel Bot deployed to Preview September 6, 2025 23:09 View deployment

dcramer requested a review from a team September 6, 2025 23:11

dcramer force-pushed the oauth-redirect-uri-exact branch from 45b4389 to e51c216 Compare September 6, 2025 23:20

vercel Bot deployed to Preview September 6, 2025 23:22 View deployment

vercel Bot deployed to Preview September 9, 2025 16:14 View deployment

dcramer force-pushed the oauth-redirect-uri-exact branch from ee5b06b to 307cf94 Compare September 9, 2025 17:17

vercel Bot deployed to Preview September 9, 2025 17:19 View deployment

dcramer mentioned this pull request Sep 9, 2025

OAuth 2.1 — Plan and Tracking #99002

Open

59 tasks

vercel Bot deployed to Preview September 9, 2025 18:29 View deployment

oioki mentioned this pull request Sep 10, 2025

feat(oauth2): strict string matching for redirect_uri #82294

Closed

oioki approved these changes Sep 10, 2025

View reviewed changes

dcramer requested a review from leedongwei September 10, 2025 23:40

dcramer added 4 commits September 11, 2025 08:39

Stick to spec

47a3cc9

Swap to versioning field

03b8681

Fix lockfile

5edc526

dcramer added 2 commits September 11, 2025 08:43

Merge branch 'master' into oauth-redirect-uri-exact

1f4b506

rebase migration

cf60c19

dcramer force-pushed the oauth-redirect-uri-exact branch from ba046aa to cf60c19 Compare September 11, 2025 13:51

vercel Bot deployed to Preview September 11, 2025 13:53 View deployment

mdtro reviewed Sep 11, 2025

View reviewed changes

Comment thread src/sentry/models/apiapplication.py Outdated

mdtro reviewed Sep 11, 2025

View reviewed changes

Comment thread src/sentry/models/apiapplication.py Outdated

support https on loopback

a870984

vercel Bot deployed to Preview September 11, 2025 14:32 View deployment

mdtro approved these changes Sep 11, 2025

View reviewed changes

wedamija reviewed Sep 11, 2025

View reviewed changes

dcramer merged commit 4890c8c into master Sep 11, 2025
64 checks passed

dcramer deleted the oauth-redirect-uri-exact branch September 11, 2025 21:18

untitaker mentioned this pull request Sep 16, 2025

ref(span-buffer): Set compression level on by default #99569

Merged

github-actions Bot locked and limited conversation to collaborators Sep 27, 2025

Uh oh!

Conversation

dcramer commented Sep 6, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions Bot commented Sep 6, 2025

Uh oh!

dcramer commented Sep 6, 2025

Uh oh!

dcramer commented Sep 6, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

codecov Bot commented Sep 6, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

dcramer commented Sep 7, 2025

Uh oh!

dcramer commented Sep 9, 2025

Uh oh!

github-actions Bot commented Sep 9, 2025

Uh oh!

dcramer commented Sep 10, 2025

Uh oh!

github-actions Bot commented Sep 11, 2025

Uh oh!

Uh oh!

Uh oh!

wedamija Sep 11, 2025

Choose a reason for hiding this comment

Uh oh!

wedamija Sep 11, 2025

Choose a reason for hiding this comment

Uh oh!

dcramer commented Sep 11, 2025

Uh oh!

Uh oh!

dcramer commented Sep 11, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

dcramer commented Sep 6, 2025 •

edited

Loading

dcramer commented Sep 6, 2025 •

edited

Loading

codecov Bot commented Sep 6, 2025 •

edited

Loading