-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No redirect for some AuthCodeGrant::validateAuthorizationRequest errors #1039
Comments
There are only certain instances where we would use the redirect uri in an error state. If the client issues an invalid, missing, or mismatching redirect uri, we do not use it. Similarly if the client ID is missing or invalid, we again ignore the redirect URI. This is a security precaution. If you know of any specific instances where you believe we are not adhering to the spec, please let me know and I will reopen this ticket. Thanks for getting in touch. |
That is correct but this library doesn't redirect in some cases even when that's not true.
That's why I created this issue, because there are such cases, which can be seen by looking at code. Examples I noticed
Maybe there's others but these 2 I just checked. Based from that article, it doesn't follow this
|
Thanks. I will take a look at this over the weekend. |
Confirmed as an issue for at least the first scenario. Needs resolving. |
Most error cases in
AuthCodeGrant::validateAuthorizationRequest
doesn't redirect back to client even whenclient_id
is specified.For example when using "Authorization code grant" and client sends query with
response_type=code&client_id=existing&redirect_uri=https://...
I would expect that it would get redirected back with error so client would know they're doing something wrong.But for most errors there are no redirects, also even with
response_type=invalid&client_id=existing
I would want it to be redirected back.See https://www.oauth.com/oauth2-servers/server-side-apps/possible-errors/
The text was updated successfully, but these errors were encountered: