Hi, I'm currently stepping through the logic for handling OAuth2 requests, at the same time reading through RFC 6749 and trying to wrap my head around what's going on :)
I noticed that in AuthCodeGrantValidator#validateRequest() a condition states "if servlet request has a redirect_uri, then it must match the one stored in the authcode"[1], but from my reading of the RFC it should be "if authcode has a redirect_uri, then the servlet request must specify the same one" [2][3]. Am I missing something? Regards, -- Andreas [1] 67 if (servletRequest.getRedirectURI() != null 68 && !servletRequest.getRedirectURI().equals(authCode.getRedirectURI())) { 69 OAuth2NormalizedResponse response = new OAuth2NormalizedResponse(); 70 response.setStatus(HttpServletResponse.SC_BAD_REQUEST); 71 response.setError(ErrorType.INVALID_GRANT.toString()); 72 response 73 .setErrorDescription("The redirect URI does not match the one used in the authorization request"); 74 response.setBodyReturned(true); 75 throw new OAuth2Exception(response); 76 } [2] Section 4.1.3 Access Token Request says o ensure that the "redirect_uri" parameter is present if the "redirect_uri" parameter was included in the initial authorization request as described in Section 4.1.1 <http://tools.ietf.org/html/rfc6749#section-4.1.1>, and if included ensure that their values are identical. [3] Fix would be to replace lines 67 and 68 with: if (authCode.getRedirectURI() != null && !authCode.getRedirectURI().equals(servletRequest.getRedirectURI())) {