[
https://issues.apache.org/jira/browse/OLTU-194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Javault updated OLTU-194:
---------------------------------
Description:
The current implementation of the {{OAuthTokenRequest}} forces all
authorization code requests to provide a redirect URI, or fails, using
{{AuthorizationCodeValidator}}:
{{AuthorizationCodeValidator.java:38}}
{code}
requiredParams.add(OAuth.OAUTH_REDIRECT_URI);
{code}
But per the [RFC 6749|http://tools.ietf.org/html/rfc6749#section-4.1.3], the
redirect URI field is not always required:
{noformat}
redirect_uri
REQUIRED, if the "redirect_uri" parameter was included in the
authorization request as described in Section 4.1.1, and their
values MUST be identical.
{noformat}
I am working with clients that force registration per [section
3.1.2.2|http://tools.ietf.org/html/rfc6749#section-3.1.2.2], and do not provide
a redirect URI.
As a work around, I am using the {{OAuthUnauthenticatedTokenRequest}} class
instead of the {{OAuthTokenRequest}} but I have to re-implement the
{{validateClientAuthenticationCredentials()}} function.
was:
The current implementation of the {{OAuthTokenRequest}} forces all
authorization code requests to provide a redirect URI, or fails, but using
{{AuthorizationCodeValidator}}:
{{AuthorizationCodeValidator.java:38}}
{code}
requiredParams.add(OAuth.OAUTH_REDIRECT_URI);
{code}
But per the [RFC 6749|http://tools.ietf.org/html/rfc6749#section-4.1.3], the
redirect URI field is not always required:
{noformat}
redirect_uri
REQUIRED, if the "redirect_uri" parameter was included in the
authorization request as described in Section 4.1.1, and their
values MUST be identical.
{noformat}
I am working with clients that force registration per [section
3.1.2.2|http://tools.ietf.org/html/rfc6749#section-3.1.2.2], and do not provide
a redirect URI.
As a work around, I am using the {{OAuthUnauthenticatedTokenRequest}} class
instead of the {{OAuthTokenRequest}} but I have to re-implement the
{{validateClientAuthenticationCredentials()}} function.
> Parameter OAUTH_REDIRECT_URI is considered REQUIRED even when it shouldn't
> --------------------------------------------------------------------------
>
> Key: OLTU-194
> URL: https://issues.apache.org/jira/browse/OLTU-194
> Project: Apache Oltu
> Issue Type: Bug
> Reporter: Michael Javault
> Priority: Minor
>
> The current implementation of the {{OAuthTokenRequest}} forces all
> authorization code requests to provide a redirect URI, or fails, using
> {{AuthorizationCodeValidator}}:
> {{AuthorizationCodeValidator.java:38}}
> {code}
> requiredParams.add(OAuth.OAUTH_REDIRECT_URI);
> {code}
> But per the [RFC 6749|http://tools.ietf.org/html/rfc6749#section-4.1.3], the
> redirect URI field is not always required:
> {noformat}
> redirect_uri
> REQUIRED, if the "redirect_uri" parameter was included in the
> authorization request as described in Section 4.1.1, and their
> values MUST be identical.
> {noformat}
> I am working with clients that force registration per [section
> 3.1.2.2|http://tools.ietf.org/html/rfc6749#section-3.1.2.2], and do not
> provide a redirect URI.
> As a work around, I am using the {{OAuthUnauthenticatedTokenRequest}} class
> instead of the {{OAuthTokenRequest}} but I have to re-implement the
> {{validateClientAuthenticationCredentials()}} function.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
