Added new configuration property to allow unsafe redirect uris

[kay-schecker]

In our project we use your oidc provider as internal test server. For that it would be very useful to allow unsafe redirect_uris, because we want to use localhost and http for local development.
Please see the updated configuration.md for more details.

[kay-schecker]

One of the three builds has failed, but it seems not to be related to my changes?

[codecov-io]

Codecov Report

Merging #191 into master will not change coverage.
The diff coverage is 100%.

@@          Coverage Diff          @@
##           master   #191   +/-   ##
=====================================
  Coverage     100%   100%           
=====================================
  Files         100    100           
  Lines        2544   2545    +1     
=====================================
+ Hits         2544   2545    +1

Impacted Files	Coverage Δ
lib/helpers/defaults.js	100% <ø> (ø)	⬆️
lib/models/client.js	100% <100%> (ø)	⬆️
lib/actions/token.js	100% <100%> (ø)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6e28da2...f6bfa33. Read the comment docs.

[panva]

Hello @kay-schecker, while I understand the use case and already received these kinds of requests in the past, it is not a feature i wish to offer, not with an env variable, neither with a configuration setting and for sure not as part of recognized client metadata. I'm afraid you'll have to work off a fork or find a another solution. Thank you for understanding, ignoring the specs and allowing this for dev environment will only lead to devs forgetting these options are in place and end up with vulnerable client setups.

edit: if it helps it's simple enough to run even dev servers with valid TLS certificates, i recently wrote an article about how to do that with caddy and let's encrypt.

[kay-schecker]

Hi @panva, thanks for your fast reply. I clearly understand your reasoning, but isn't there any other way besides the fork, because this will potentially end in a nightmare of forks, if other developers need the same feature. It would be great to have plugin support for the oidc-provider, so developers can add functionality like this easily.

Regarding your suggestion to use TLS certificates on our dev-servers:

We work with angular-cli and start a server on the developer machine itself. This server isn't protected by TLS by default. Furthermore the application is served on 0.0.0.0 / localhost then. That means that we'll run always into the same issue, when we start a new angular-cli project. Unfortunately, Angular also has a bug at the moment, so we can't start with TLS at all. But i know this doesn't matter for the oidc-provider. I'm just looking for a solution to my problem.

[panva]

I really don't want a feature like this in the code and documentation. I can see the following, and let me know if it works for you.

The Client constructor that's returned and available through provider.Client uses a provider specific Schema, this Schema may be assigned to the Client as a class property. Through that you could simply overload the redirectUris() schema method to not do any validations. This is hopefully destructive enough that noone will actually think of using it aside it of test environments or devs who know what they're doing.

edit: see e553b1f

[kay-schecker]

Thanks a lot i'll give it a try and let you know :-)

[kay-schecker]

Yeah, it's working well 👍 Do you plan a new release or a snapshot to publish this change?

[panva]

Probably next week, until then just use master.