WP-API / OAuth2

Connect applications to your WordPress site without ever giving away your password.
GNU General Public License v2.0
172 stars 42 forks source link

Validating redirect_uri according to rfc6749 4.1.3 #45

Open almirbi opened 7 years ago

almirbi commented 7 years ago

https://tools.ietf.org/html/rfc6749#section-4.1.3

Check whether redirect_uri matches the one in the initial request;

validate_redirect_uri function does not return a registered callback from the DB anymore, if no redirect_uri has been given, as it is an optional parameter. The name of the function did not explain the behaviour well.

17

almirbi commented 7 years ago

@rmccue fixed it up a bit as suggested.

Also if there was no redirect_uri in the initial auth request, but there is one in the access token request and it matches the callbacks registered with the client - it's fine, just for convenience reasons.