fix(oauth2): allow custom URI schemes without reverse domain notation for native apps

ThomasK33 · ThomasK33 · commit 80b2b40856a5 · 2025-07-15T18:30:16.000+02:00
Change-Id: I4000cd39caa994efe0b76c4984e968f2963063ca
Signed-off-by: Thomas Kosiewski &lt;tk@coder.com&gt;
diff --git a/codersdk/oauth2.go b/codersdk/oauth2.go
@@ -93,7 +93,7 @@ func (c *Client) OAuth2ProviderApp(ctx context.Context, id uuid.UUID) (OAuth2Pro
 
 type PostOAuth2ProviderAppRequest struct {
 	Name         string                    `json:"name" validate:"required,oauth2_app_display_name"`
-	RedirectURIs []string                  `json:"redirect_uris" validate:"dive,http_url"`
+	RedirectURIs []string                  `json:"redirect_uris" validate:"dive,uri"`
 	Icon         string                    `json:"icon" validate:"omitempty"`
 	GrantTypes   []OAuth2ProviderGrantType `json:"grant_types,omitempty" validate:"dive,oneof=authorization_code refresh_token client_credentials urn:ietf:params:oauth:grant-type:device_code"`
 }
@@ -150,7 +150,7 @@ func (c *Client) PostOAuth2ProviderApp(ctx context.Context, app PostOAuth2Provid
 
 type PutOAuth2ProviderAppRequest struct {
 	Name         string                    `json:"name" validate:"required,oauth2_app_display_name"`
-	RedirectURIs []string                  `json:"redirect_uris" validate:"dive,http_url"`
+	RedirectURIs []string                  `json:"redirect_uris" validate:"dive,uri"`
 	Icon         string                    `json:"icon" validate:"omitempty"`
 	GrantTypes   []OAuth2ProviderGrantType `json:"grant_types,omitempty" validate:"dive,oneof=authorization_code refresh_token client_credentials urn:ietf:params:oauth:grant-type:device_code"`
 }
diff --git a/codersdk/oauth2_validation.go b/codersdk/oauth2_validation.go
@@ -257,12 +257,6 @@ func isLoopbackAddress(hostname string) bool {
 
 // isValidCustomScheme validates custom schemes for public clients (RFC 8252)
 func isValidCustomScheme(scheme string) bool {
-	// For security and RFC compliance, require reverse domain notation
-	// Should contain at least one period and not be a well-known scheme
-	if !strings.Contains(scheme, ".") {
-		return false
-	}
-
 	// Block schemes that look like well-known protocols
 	wellKnownSchemes := []string{"http", "https", "ftp", "mailto", "tel", "sms"}
 	for _, wellKnown := range wellKnownSchemes {
