Open ls-sean-fraser opened 1 week ago
Have you got a redirect Uri registered against your client?
Yes, my ClientEntityInterface
implementation returns a value for the client. The redirect itself works fine, it is only validation of it during the code exchange that is the problem
Thanks for reporting this. I think I have a solution figured out. I'm going to change the code so we validate that if a redirect URI is passed, it must be a valid URI as per the specs. That negates the need to check for non empty strings as we shouldn't be accepting these in the first place.
I'll finalise this tomorrow and submit a fix. Thank you
Using version 9.0.0, using authorization code grant without specifying a redirect_uri in both requests does not seem to be accepted. The spec indicates these are only required if used in both places.
When using a default Authorization code entity...
If the redirect_uri is omitted from the authorize request, the authorization code contains a redirect_uri of
null
.The access token call then fail here, As the value is
null
, but it is checking for empty stringhttps://github.com/thephpleague/oauth2-server/blob/master/src/Grant/AuthCodeGrant.php#L220-L224
Forcing the null redirect_uri to be empty string in the entity doesn't resolve the issue as the subsequent check which will fail to compare redirect_uri of the code and the request, as
'' !== null
.I suspect that the check above should be changed to be: