Looking to setup an oauth2 interaction in a notebook, but this requires registering the redirect URI with the external identity solution. Some insecure identity solutions allow for wildcard redirect URIs, but most should block that and will require the URLs to be registered explicitly.
For example, for Microsoft AAD I need to register the URL explicitly and the URL looks to have some version or hash code / blob ID in the URL. Is this static or coupled to notebook version or anything like that? Can I register this exact URL in my oauth2 application, and will it change over time? Or how can this work?
I’m not sure there’s a way to use the redirect method without a proxy, since you cannot redirect to the notebook iframe. But have you seen @azure/msal-browser - npm?
Yes I’m using msal-browser client. The issue is AADSTS doesn’t allow wildcard redirect URIs so you can’t do something like register “https://keystroke.static.observableusercontent.com/*” as a redirect URI. Some other identity solutions allow this (or at least used to). One can use the msal package to login with pop-up or redirect if you temporarily register the dynamic worker URL as the redirect URI in the oauth2 app configuration. But if that changes over time it’s not reliable approach.
Using a proxy is undesirable in what would otherwise be purely client-side SPA.
Since an actual location change back to the worker doesn’t give you a functioning notebook, I suspect that this is more about the cookie domain and path?
In that case you could try to register your worker domain and root path (https://keystroke.static.observableusercontent.com/) instead of the full path, and then poll until you have access to the window’s location again.