Allow use of query strings in redirect_uri

mozilla / fxa-oauth-server

OAuth server for Firefox Accounts

49 stars 40 forks source link

Allow use of query strings in redirect_uri #547

Closed l-hedgehog closed 6 years ago

l-hedgehog commented 6 years ago

The validation introduced in #534 make it an error.

rfk commented 6 years ago

For our reference, The Spec explicitly allows this:

   The redirection endpoint URI MUST be an absolute URI as defined by
   [RFC3986] Section 4.3.  The endpoint URI MAY include an
   "application/x-www-form-urlencoded" formatted (per Appendix B) query
   component ([RFC3986] Section 3.4), which MUST be retained when adding
   additional query parameters.  The endpoint URI MUST NOT include a
   fragment component.