Before doing the HHVM fix, I'm going to merge that quickly. Basically, this allows to have multiple redirect URI in the client which is often useful, but above everything else, it fixes a security issue (disclaimer: I was actually implementing the spec but that's a side effect that can happen).
Previously, if someone was giving a redirect URI in a query param, the user would be redirected to it without check, so that someone making a fake "registration page" could potentially set his own redirect URI. Now, there is a strict check of the given redirect URI and if it was not registered with the client, then an error is thrown instead of generating the auth code.
I'm going to tag this as 0.4 as there is a slight DB model change.
@Ocramius , please could you add a note in the security Symfony thing to encourage people using 0.4 ? (the other grants have no problem, however).
Before doing the HHVM fix, I'm going to merge that quickly. Basically, this allows to have multiple redirect URI in the client which is often useful, but above everything else, it fixes a security issue (disclaimer: I was actually implementing the spec but that's a side effect that can happen).
Previously, if someone was giving a redirect URI in a query param, the user would be redirected to it without check, so that someone making a fake "registration page" could potentially set his own redirect URI. Now, there is a strict check of the given redirect URI and if it was not registered with the client, then an error is thrown instead of generating the auth code.
I'm going to tag this as 0.4 as there is a slight DB model change.
@Ocramius , please could you add a note in the security Symfony thing to encourage people using 0.4 ? (the other grants have no problem, however).