Nikita128
commented
3 years ago Yeah, we've encountered the same exact issue recently. I've created a separate post about this.
Closed exeba closed 2 years ago
Nikita128
commented
3 years ago Yeah, we've encountered the same exact issue recently. I've created a separate post about this.
Sephster
commented
3 years ago Thanks both. Happy to accept a PR but this looks like something we should resolve. I will flag it for a future update.
xbojer
commented
3 years ago This change causes Undefined index: scheme error for invalid uri in isLoopbackUri method of RedirectUriValidator. Maybe there should be check if provided string is uri before parsing it
eugene-borovov
commented
3 years ago PR #1237 fixes this issue.
As far as I understand the current implementation requires a perfect match between the registered redirection URI and the URI specified in the authorization request.
However, section 8.4 of rfc8252 states:
Authorization servers MUST require clients to register their complete redirect URI (including the path component) and reject authorization requests that specify a redirect URI that doesn't exactly match the one that was registered; the exception is loopback redirects, where an exact match is required except for the port URI component.