If the client application (or a impersonated client application) attempts to redirect the user to a wrong redirect URI, where should the client be redirect to? Currently, we're redirecting the user to the requested redirect URI, but that doesn't look like as the correct/safe direction.
There should be an investigation around that and implement what is expected by the RFC 6749.
If the client application (or a impersonated client application) attempts to redirect the user to a wrong redirect URI, where should the client be redirect to? Currently, we're redirecting the user to the requested redirect URI, but that doesn't look like as the correct/safe direction.
There should be an investigation around that and implement what is expected by the RFC 6749.