Open almirbi opened 7 years ago
@rmccue fixed it up a bit as suggested.
Also if there was no redirect_uri in the initial auth request, but there is one in the access token request and it matches the callbacks registered with the client - it's fine, just for convenience reasons.
https://tools.ietf.org/html/rfc6749#section-4.1.3
Check whether redirect_uri matches the one in the initial request;
validate_redirect_uri
function does not return a registered callback from the DB anymore, if no redirect_uri has been given, as it is an optional parameter. The name of the function did not explain the behaviour well.17