Michael Javault created OLTU-194:
------------------------------------
Summary: Parameter OAUTH_REDIRECT_URI is considered REQUIRED even
when it shouldn't
Key: OLTU-194
URL: https://issues.apache.org/jira/browse/OLTU-194
Project: Apache Oltu
Issue Type: Bug
Reporter: Michael Javault
Priority: Minor
The current implementation of the {{OAuthTokenRequest}} forces all
authorization code requests to provide a redirect URI, or fails, but using
{{AuthorizationCodeValidator}}:
{{AuthorizationCodeValidator.java:38}}
{code}
requiredParams.add(OAuth.OAUTH_REDIRECT_URI);
{code}
But per the [RFC 6749|http://tools.ietf.org/html/rfc6749#section-4.1.3], the
redirect URI field is not always required:
{noformat}
redirect_uri
REQUIRED, if the "redirect_uri" parameter was included in the
authorization request as described in Section 4.1.1, and their
values MUST be identical.
{noformat}
I am working with clients that force registration per [section
3.1.2.2|http://tools.ietf.org/html/rfc6749#section-3.1.2.2], and do not provide
a redirect URI.
As a work around, I am using the {{OAuthUnauthenticatedTokenRequest}} class
instead of the {{OAuthTokenRequest}} but I have to re-implement the
{{validateClientAuthenticationCredentials()}} function.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
