an empty redirectURL should not imply "oob"

phamngsinh / goauth2

Automatically exported from code.google.com/p/goauth2

BSD 3-Clause "New" or "Revised" License

0 stars 0 forks source link

an empty redirectURL should not imply "oob" #17

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago

Currently, if you don't specify a RedirectURL in your oauth.Config, it gets 
interpreted as "oob" when constructing an AuthCodeURL.  While I get that this 
is a nice convenience for when you actually want out-of-band token exchange, it 
means that it's impossible (unless I'm missing something) to construct an 
AuthCodeURL that legitimately does not specify a redirect_url.  For example, 
GitHub will use the redirect_url registered for that client_id if none if 
specified.

Original issue reported on code.google.com by willnorris@google.com on 14 May 2013 at 7:46

GoogleCodeExporter commented 8 years ago

(just double checked, and redirect_uri is defined as optional in the OAuth2 
spec, so having a truly empty value is completely valid)

Original comment by willnorris@google.com on 14 May 2013 at 7:48

GoogleCodeExporter commented 8 years ago

Yep, this should be fixed. I think the correct fix is just removing the code 
that adds "oob". This may break existing users. I should probably issue a 
formal release of goauth2 soon.

Original comment by a...@golang.org on 3 Jun 2013 at 1:06

Changed state: Accepted

GoogleCodeExporter commented 8 years ago

fixed in cf01a4ad4a2e

Original comment by willnorris@google.com on 5 Jun 2013 at 4:28

Changed state: Fixed