[
https://issues.apache.org/jira/browse/SHINDIG-1943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13808283#comment-13808283
]
Andreas Kohn commented on SHINDIG-1943:
---------------------------------------
No problem: https://reviews.apache.org/r/15040/ . I put both patches into the
same review.
> Reversed condition in AuthCodeGrantValidator#validateRequest()
> --------------------------------------------------------------
>
> Key: SHINDIG-1943
> URL: https://issues.apache.org/jira/browse/SHINDIG-1943
> Project: Shindig
> Issue Type: Bug
> Reporter: Andreas Kohn
> Attachments: shindig-1943-validator.diff,
> shindig-oauth2-package-info.diff
>
>
> _See also discussion at
> http://www.mail-archive.com/[email protected]/msg08159.html _
> AuthCodeGrantValidator#validateRequest() is (part of) the implementation of
> section 4.1.3 in RFC 6749 (actually
> http://tools.ietf.org/html/draft-ietf-oauth-v2-21#section-4.1.3).
> In that section it is stated that the authorization server should
> {quote}
> ensure that the "redirect_uri" parameter is present if the
> "redirect_uri" parameter was included in the initial authorization
> request as described in Section 4.1.1, and if included ensure that
> their values are identical.
> {quote}
> In shindig however the condition is reversed: it instead checks the
> redirect_uri only if it is given in the current request, but not whether it
> was given in the authorization request.
> Attached patch fixes that, and also adds a package-info.java file to point to
> the relevant specification (OAuth 2.0 is still a draft, and might change).
--
This message was sent by Atlassian JIRA
(v6.1#6144)
