Announcement Announcement Module
No announcement yet.
OAuth2 Invalid Redirect URI is detected but still redirected anyway Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • OAuth2 Invalid Redirect URI is detected but still redirected anyway

    If you have a client with a registered redirect URI and you specify an invalid redirect when requesting an authorization code, the invalid redirect URI will be detected but the client is redirected to the invalid URI anyway, with an error appended.

    Here's an example using sparklr:

    my-client-with-registered-redirect has a registered redirect URI of http://anywhere
    1. http://localhost:8080/sparklr/oauth/
    2. Sign in and authorize
    3. Client is redirected to

    The draft spec says,
    If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error, and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
    Does anyone know if there is an existing bug or TODO against this for spring-security-oauth?

  • #2
    I don't remember seeing a JIRA issue for that. Please feel free to fix it (I think it can be handled in the AuthorizationEndpoint) and send a pull request (see README for contributor's agreement).


    • #3
      Done and done.