Hi,
I'm currently stepping through the logic for handling OAuth2 requests, at
the same time reading through RFC 6749 and trying to wrap my head around
what's going on :)
I noticed that in AuthCodeGrantValidator#validateRequest() a condition
states "if servlet request has a redirect_uri, then it must match the one
stored in the authcode"[1], but from my reading of the RFC it should be "if
authcode has a redirect_uri, then the servlet request must specify the same
one" [2][3].
Am I missing something?
Regards,
--
Andreas
[1]
67 if (servletRequest.getRedirectURI() != null
68 &&
!servletRequest.getRedirectURI().equals(authCode.getRedirectURI())) {
69 OAuth2NormalizedResponse response = new
OAuth2NormalizedResponse();
70 response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
71 response.setError(ErrorType.INVALID_GRANT.toString());
72 response
73 .setErrorDescription("The redirect URI does not match the one
used in the authorization request");
74 response.setBodyReturned(true);
75 throw new OAuth2Exception(response);
76 }
[2] Section 4.1.3 Access Token Request says
o ensure that the "redirect_uri" parameter is present if the
"redirect_uri" parameter was included in the initial authorization
request as described in Section 4.1.1
<http://tools.ietf.org/html/rfc6749#section-4.1.1>, and if included
ensure that
their values are identical.
[3] Fix would be to replace lines 67 and 68 with:
if (authCode.getRedirectURI() != null
&&
!authCode.getRedirectURI().equals(servletRequest.getRedirectURI())) {
