bradjones1
commented
2 years ago Potentially related https://github.com/thephpleague/oauth2-server/issues/1039
Closed bradjones1 closed 2 years ago
bradjones1
commented
2 years ago Potentially related https://github.com/thephpleague/oauth2-server/issues/1039
bradjones1
commented
2 years ago Refs https://github.com/thephpleague/oauth2-server/issues/1188#issuecomment-906264171, though that and its related PR still use parse_url() which I think is incorrect.
Sephster
commented
2 years ago Thanks @bradjones1 and thanks for the PR. I will take a look at this tomorrow
victorbalssa
commented
2 years ago Hello,
same problem here.
I have a native application with scheme:// as redirect_uri,
Thank you @bradjones1 💪🏻
I have a native app which performs OAuth2 with, among other clients, a native app.
The redirection URI is something like
native.app.reverse.dns://, which is a valid URI but is not a URL.Spec references: https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2 https://datatracker.ietf.org/doc/html/rfc3986#section-4.3
The culprit is
parse_url(), which as the name implies is specific to URLs. Further FWIW the PHP docs say:Which is more or less what we're doing here.
To be truly spec-compliant, we must allow and match against URIs, not just the subset which are URLs.
This being a League package, good thing there's https://github.com/thephpleague/uri, which advertises URI validation and manipulation. Let's use that.
Also this affects the Drupal implementation, since Drupal core assumes URIs are URLs, despite the various interfaces being called
UriWhatever.