Re: Reversed condition in AuthCodeGrantValidator#validateRequest()?

Wed, 16 Oct 2013 05:05:57 -0700 

Hi Andreas,

Let me make sure I understand.  You're concerned about the use case where
the redirect_uri was omitted from the authorization request (which is valid
since it is optional per section 4.1.1) yet a redirect_uri was provided on
the access token request?  In this particular case, due to the logic you
mentioned, an exception would be thrown because the redirect_uris do not
match.

Is that the case you are running into?

Thanks,
-Stanton


On Wed, Oct 16, 2013 at 6:54 AM, Andreas Kohn <andreas.k...@gmail.com>wrote:

> Hi,
>
> I'm currently stepping through the logic for handling OAuth2 requests, at
> the same time reading through RFC 6749 and trying to wrap my head around
> what's going on :)
>
> I noticed that in AuthCodeGrantValidator#validateRequest() a condition
> states "if servlet request has a redirect_uri, then it must match the one
> stored in the authcode"[1], but from my reading of the RFC it should be "if
> authcode has a redirect_uri, then the servlet request must specify the same
> one" [2][3].
>
> Am I missing something?
>
> Regards,
> --
> Andreas
>
> [1]
>  67     if (servletRequest.getRedirectURI() != null
>  68         &&
> !servletRequest.getRedirectURI().equals(authCode.getRedirectURI())) {
>  69       OAuth2NormalizedResponse response = new
> OAuth2NormalizedResponse();
>  70       response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
>  71       response.setError(ErrorType.INVALID_GRANT.toString());
>  72       response
>  73           .setErrorDescription("The redirect URI does not match the one
> used in the authorization request");
>  74       response.setBodyReturned(true);
>  75       throw new OAuth2Exception(response);
>  76     }
>
> [2] Section 4.1.3 Access Token Request says
>
>    o  ensure that the "redirect_uri" parameter is present if the
>       "redirect_uri" parameter was included in the initial authorization
>       request as described in Section 4.1.1
> <http://tools.ietf.org/html/rfc6749#section-4.1.1>, and if included
> ensure that
>       their values are identical.
>
>
> [3] Fix would be to replace lines 67 and 68 with:
>     if (authCode.getRedirectURI() != null
>         &&
> !authCode.getRedirectURI().equals(servletRequest.getRedirectURI())) {
>

Reply via email to