oltu-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rikard Swahn (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (OLTU-109) OAuthTokenRequest unnecessarily requires the "redirect_uri" parameter
Date Mon, 14 Sep 2015 10:53:46 GMT

    [ https://issues.apache.org/jira/browse/OLTU-109?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14743364#comment-14743364
] 

Rikard Swahn commented on OLTU-109:
-----------------------------------

I agree that Oltu should not keep this state, it should be up to the implementation to do
that. For example, this could be done stateless by using an access code which is a jwt which
contains a hash of the redirect url. On checking the access code, the given redirect url could
be checked against the hash.

Not sure why this check is required at all in the spec though, but that is another question.

> OAuthTokenRequest unnecessarily requires the "redirect_uri" parameter
> ---------------------------------------------------------------------
>
>                 Key: OLTU-109
>                 URL: https://issues.apache.org/jira/browse/OLTU-109
>             Project: Apache Oltu
>          Issue Type: Bug
>          Components: oauth2-authzserver
>    Affects Versions: oauth2-0.22
>         Environment: Authorization Server
>            Reporter: John Jenkins
>             Fix For: oauth2-0.31
>
>
> The OAuthTokenRequest(HttpServletRequest) constructor will inappropriately fail if the
"redirect_uri" parameter is missing. This is only required if the "redirect_uri" was given
in the previous, "code" request. From the specification (section 4.1.3):
> redirect_uri
>          REQUIRED, if the "redirect_uri" parameter was included in the
>          authorization request as described in Section 4.1.1, and their
>          values MUST be identical.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message