Open dshanske opened 6 years ago
Here's what my auth endpoint shows when there is a mismatch.
If the redirect_uri and client_id have the same domain then that notice is not shown.
In case people are searching for the error message they see, the wordpress plugin currently shows this when encountering this error:
{"error":"invalid_grant","error_description":"Redirect not on same host as client"}
I'm currently experiencing this issue with Indigenous.
This was changed in version 2.0.2
The issue is still open as it warns, but doesn't check for a allowlist
Currently, the plugin only supports redirect_uris on the same domain as the client_id. The spec calls for having the client_id have a allowlist of acceptable redirect_uris that can be polled. This is not yet supported.
@aaronpk alternatively alllows this to be overridden by issuing a warning in the authorization screen, as opposed to what the plugin does, which is reject it.
https://indieauth.spec.indieweb.org/#redirect-url