Skip to content

fix(oauth-server): allow custom URI schemes in client redirect URIs #2298

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
cemalkilic merged 3 commits into from
Dec 29, 2025
Merged

fix(oauth-server): allow custom URI schemes in client redirect URIs #2298

cemalkilic merged 3 commits into from
Dec 29, 2025

Conversation

@cemalkilic
Copy link
Contributor

@cemalkilic cemalkilic commented Dec 16, 2025
edited
Loading

Problem

Fixes #2285

The OAuth 2.0 Client Registration endpoin was incorrectly rejecting custom URI schemes like cursor://, or myapp://, blocking native application integrations.

Root Cause

The validation logic in validateRedirectURI() was overly restrictive, only allowing HTTPS or HTTP (localhost). This contradicted with RFC 8252 (OAuth 2.0 for Native Apps) - recommends custom URI schemes

Solution

Relaxed redirect URI validation

New Validation Rules

  • HTTPS - always allowed
  • Custom URI schemes - allowed for native apps (cursor://, myapp://, vscode://, etc.)
  • HTTP - only for localhost/loopback (localhost, 127.0.0.1, ::1)
  • Fragments - still rejected per spec

@cemalkilic cemalkilic requested a review from a team as a code owner December 16, 2025 10:37
depthfirst-app[bot]
depthfirst-app bot reviewed Dec 16, 2025
View reviewed changes
@cemalkilic cemalkilic mentioned this pull request Dec 16, 2025
Closed
@coveralls
Copy link

coveralls commented Dec 16, 2025
edited
Loading

Pull Request Test Coverage Report for Build 20575142169

Details

  • 6 of 6 (100.0%) changed or added relevant lines in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.001%) to 68.783%
Totals Coverage Status
Change from base Build 20463603498: 0.001%
Covered Lines: 14743
Relevant Lines: 21434
💛 - Coveralls

@Rodriguespn Rodriguespn mentioned this pull request Dec 19, 2025
Closed
@Rodriguespn Rodriguespn self-requested a review December 19, 2025 11:45
Rodriguespn
Rodriguespn approved these changes Dec 19, 2025
View reviewed changes
Copy link

@Rodriguespn Rodriguespn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@Rodriguespn Rodriguespn force-pushed the cemal/fix-oauth-client-redirect-uri-validation branch from 70327de to 11d2189 Compare December 19, 2025 11:45
@cemalkilic cemalkilic merged commit ea72f57 into master Dec 29, 2025
7 checks passed
@cemalkilic cemalkilic deleted the cemal/fix-oauth-client-redirect-uri-validation branch December 29, 2025 15:47
@github-actions github-actions bot mentioned this pull request Dec 23, 2025
Merged
hf added a commit that referenced this pull request Jan 12, 2026
@hf
Revert "fix(oauth-server): allow custom URI schemes in client redirec…
422d61f 
…t URIs (#2298)"

This reverts commit ea72f57.
@hf hf mentioned this pull request Jan 12, 2026
Merged
cemalkilic pushed a commit that referenced this pull request Jan 12, 2026
@hf @depthfirst-app
feat: reset main branch to 2.185.0 (#2325)
b9d0500 
Resets the main branch (`master`) to have the same changeset as 2.184.0
but under 2.185.0.

Original release please notes:


### Features

* Add Sb-Forwarded-For header and IP-based rate limiting
([#2295](#2295))
([e8f679b](e8f679b))
* allow amr claim to be array of strings or objects
([#2274](#2274))
([607da43](607da43))
* Treat rate limit header value as comma-separated list
([#2282](#2282))
([5f2e279](5f2e279))


### Bug Fixes

* check each type independently
([#2290](#2290))
([d9de0af](d9de0af))
* fix the wrong error return value
([#1950](#1950))
([e2dfb5d](e2dfb5d))
* **indexworker:** remove pg_trgm extension
([#2301](#2301))
([c553b10](c553b10))
* **oauth-server:** allow custom URI schemes in client redirect URIs
([#2298](#2298))
([ea72f57](ea72f57))
* tighten email validation rules
([#2304](#2304))
([33bb372](33bb372))

---------

Co-authored-by: depthfirst-app[bot] <184448029+depthfirst-app[bot]@users.noreply.github.com>
cemalkilic pushed a commit that referenced this pull request Jan 12, 2026
@github-actions
chore(master): release 2.185.0 (#2287)
711763c 
🤖 I have created a release *beep* *boop*
---


##
[2.185.0](v2.184.0...v2.185.0)
(2026-01-12)


### Features

* Add Sb-Forwarded-For header and IP-based rate limiting
([#2295](#2295))
([e8f679b](e8f679b))
* allow amr claim to be array of strings or objects
([#2274](#2274))
([607da43](607da43))
* reset main branch to 2.185.0
([#2325](#2325))
([b9d0500](b9d0500))
* Treat rate limit header value as comma-separated list
([#2282](#2282))
([5f2e279](5f2e279))


### Bug Fixes

* additional provider and issuer checks
([#2326](#2326))
([cb79a74](cb79a74))
* check each type independently
([#2290](#2290))
([d9de0af](d9de0af))
* fix the wrong error return value
([#1950](#1950))
([e2dfb5d](e2dfb5d))
* **indexworker:** remove pg_trgm extension
([#2301](#2301))
([c553b10](c553b10))
* **oauth-server:** allow custom URI schemes in client redirect URIs
([#2298](#2298))
([ea72f57](ea72f57))
* tighten email validation rules
([#2304](#2304))
([33bb372](33bb372))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@nitnizzie
Copy link

nitnizzie commented Jan 13, 2026

Hi! I was actually trying to deploy a remote MCP server over streamable HTTP using Supabase Auth as the OAuth server, and ran into an issue that looks related.

It seems custom URL schemes are being rejected:

"msg":"400: invalid redirect_uri 'cursor://anysphere.cursor-mcp/oauth/callback': scheme must be HTTPS or HTTP (localhost only)"

I initially thought this PR addressed that, but it looks like the change was reverted.
Is there a specific reason it was rolled back? Or is support for custom URL schemes (e.g. cursor://) something that might be added back later?

Thanks a lot, really appreciate the work on this 🙏

@kostasb
Copy link

kostasb commented Jan 15, 2026

Hi! I was actually trying to deploy a remote MCP server over streamable HTTP using Supabase Auth as the OAuth server, and ran into an issue that looks related.

It seems custom URL schemes are being rejected:

"msg":"400: invalid redirect_uri 'cursor://anysphere.cursor-mcp/oauth/callback': scheme must be HTTPS or HTTP (localhost only)"

I initially thought this PR addressed that, but it looks like the change was reverted. Is there a specific reason it was rolled back? Or is support for custom URL schemes (e.g. cursor://) something that might be added back later?

Thanks a lot, really appreciate the work on this 🙏

@nitnizzie the revert is temporary. Expect it to be rolled out again in the coming weeks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@depthfirst-app depthfirst-app[bot] depthfirst-app[bot] left review comments

@Rodriguespn Rodriguespn Rodriguespn approved these changes

@fadymak fadymak fadymak approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OAuth Dynamic Client Registration rejects custom URI schemes (inconsistency with PR #711)

7 participants

@cemalkilic @coveralls @nitnizzie @kostasb @Rodriguespn @fadymak