Andreas Kohn created SHINDIG-1943:
-------------------------------------
Summary: Reversed condition in
AuthCodeGrantValidator#validateRequest()
Key: SHINDIG-1943
URL: https://issues.apache.org/jira/browse/SHINDIG-1943
Project: Shindig
Issue Type: Bug
Reporter: Andreas Kohn
_See also discussion at
http://www.mail-archive.com/[email protected]/msg08159.html _
AuthCodeGrantValidator#validateRequest() is (part of) the implementation of
section 4.1.3 in RFC 6749 (actually
http://tools.ietf.org/html/draft-ietf-oauth-v2-21#section-4.1.3).
In that section it is stated that the authorization server should
{quote}
ensure that the "redirect_uri" parameter is present if the
"redirect_uri" parameter was included in the initial authorization
request as described in Section 4.1.1, and if included ensure that
their values are identical.
{quote}
In shindig however the condition is reversed: it instead checks the
redirect_uri only if it is given in the current request, but not whether it was
given in the authorization request.
Attached patch fixes that, and also adds a package-info.java file to point to
the relevant specification (OAuth 2.0 is still a draft, and might change).
--
This message was sent by Atlassian JIRA
(v6.1#6144)
