Should redirect uri check ignore query params?

jointakahe / takahe

An ActivityPub/Fediverse server

BSD 3-Clause "New" or "Revised" License

1.1k stars 84 forks source link

Should redirect uri check ignore query params? #660

Open patrick91 opened 8 months ago

patrick91 commented 8 months ago

I was trying to setup buffer today, and their redirect uri looks something like this: https://account.buffer.com/channels/connect?connectingMastodon=true&server=serverName&followBuffer=false

Which seems to break the check in here: https://github.com/jointakahe/takahe/blob/1ceef59becff921402c03504e434793702c35f5d/api/views/oauth.py#L91-L97

Putting the full URL worked in the application object worked, so I was wondering if we should ignore query params 😊

andrewgodwin commented 8 months ago

That's strictly against the OAuth spec:

redirect_uri
         REQUIRED, if the "redirect_uri" parameter was included in the
         authorization request as described in [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1), and their
         values MUST be identical.

If it's just Buffer, I'm not entirely inclined to fix it unless other stuff starts doing it too?