Closed exeba closed 2 years ago
Yeah, we've encountered the same exact issue recently. I've created a separate post about this.
Thanks both. Happy to accept a PR but this looks like something we should resolve. I will flag it for a future update.
This change causes Undefined index: scheme
error for invalid uri in isLoopbackUri method of RedirectUriValidator. Maybe there should be check if provided string is uri before parsing it
PR #1237 fixes this issue.
As far as I understand the current implementation requires a perfect match between the registered redirection URI and the URI specified in the authorization request.
However, section 8.4 of rfc8252 states:
Authorization servers MUST require clients to register their complete redirect URI (including the path component) and reject authorization requests that specify a redirect URI that doesn't exactly match the one that was registered; the exception is loopback redirects, where an exact match is required except for the port URI component.