oltu-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stein Welberg (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (OLTU-109) OAuthTokenRequest unnecessarily requires the "redirect_uri" parameter
Date Wed, 23 Sep 2015 19:20:04 GMT

    [ https://issues.apache.org/jira/browse/OLTU-109?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14905072#comment-14905072
] 

Stein Welberg edited comment on OLTU-109 at 9/23/15 7:19 PM:
-------------------------------------------------------------

I have changed the opinion that I stated two years ago ;-). I also don't think it is the responsibility
of Oltu to maintain this state.  A better (and safer) solution is to force clients to always
send the redirect_uri. This also makes for an easier implementation on the server side. Imho
this issue can be closed and marked as "Won't fix" for the reasons stated in the comments.


was (Author: steinwelberg):
I come back at my opinion stated two years ago ;-). I also don't think it is the responsibility
of Oltu to maintain this state.  A better (and safer) solution is to force clients to always
send the redirect_uri. This also makes for an easier implementation on the server side. Imho
this issue can be closed and marked as "Won't fix" for the reasons stated in the comments.

> OAuthTokenRequest unnecessarily requires the "redirect_uri" parameter
> ---------------------------------------------------------------------
>
>                 Key: OLTU-109
>                 URL: https://issues.apache.org/jira/browse/OLTU-109
>             Project: Apache Oltu
>          Issue Type: Bug
>          Components: oauth2-authzserver
>    Affects Versions: oauth2-0.22
>         Environment: Authorization Server
>            Reporter: John Jenkins
>             Fix For: oauth2-0.31
>
>
> The OAuthTokenRequest(HttpServletRequest) constructor will inappropriately fail if the
"redirect_uri" parameter is missing. This is only required if the "redirect_uri" was given
in the previous, "code" request. From the specification (section 4.1.3):
> redirect_uri
>          REQUIRED, if the "redirect_uri" parameter was included in the
>          authorization request as described in Section 4.1.1, and their
>          values MUST be identical.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message