response_type must be id, code, or omitted. Omitted is treated as id.
scope must match /^[\x21\x23-\x5B\x5D-\x7E]+$/ or be omitted.
Allowed character ranges for state and scope taken from RFC 6749: OAuth 2.0.
When state or scope are given as empty strings, should that be treated as omitted? Should it throw an error?
For the “full URI” requirement we should use a PHP Validate filter: FILTER_VALIDATE_URL. I think we enable both FILTER_FLAG_SCHEME_REQUIRED and FILTER_FLAG_HOST_REQUIRED to force the “full” part of the requirement.
Zegnat
commented
7 years ago
I am working on this, but documenting here.
memust be a full URI.client_idmust be a full URI.redirect_urimust be a full URI.statemust match/^[\x20-\x7E]+$/or be omitted.response_typemust beid,code, or omitted. Omitted is treated asid.scopemust match/^[\x21\x23-\x5B\x5D-\x7E]+$/or be omitted.Allowed character ranges for
stateandscopetaken from RFC 6749: OAuth 2.0.When
stateorscopeare given as empty strings, should that be treated as omitted? Should it throw an error?For the “full URI” requirement we should use a PHP Validate filter:
FILTER_VALIDATE_URL. I think we enable bothFILTER_FLAG_SCHEME_REQUIREDandFILTER_FLAG_HOST_REQUIREDto force the “full” part of the requirement.