aaronpk
commented
6 years ago Here's what my auth endpoint shows when there is a mismatch.
If the redirect_uri and client_id have the same domain then that notice is not shown.
Open dshanske opened 6 years ago
aaronpk
commented
6 years ago Here's what my auth endpoint shows when there is a mismatch.
If the redirect_uri and client_id have the same domain then that notice is not shown.
aaronpk
commented
6 years ago In case people are searching for the error message they see, the wordpress plugin currently shows this when encountering this error:
{"error":"invalid_grant","error_description":"Redirect not on same host as client"}
miklb
commented
6 years ago I'm currently experiencing this issue with Indigenous.
dshanske
commented
6 years ago This was changed in version 2.0.2
dshanske
commented
6 years ago The issue is still open as it warns, but doesn't check for a allowlist
Currently, the plugin only supports redirect_uris on the same domain as the client_id. The spec calls for having the client_id have a allowlist of acceptable redirect_uris that can be polled. This is not yet supported.
@aaronpk alternatively alllows this to be overridden by issuing a warning in the authorization screen, as opposed to what the plugin does, which is reject it.
https://indieauth.spec.indieweb.org/#redirect-url