Skip to content
This repository has been archived by the owner on Jan 20, 2024. It is now read-only.

Authorization Code Redirection URI Check Too Strict #129

Open
Druotic opened this issue Dec 27, 2019 · 2 comments
Open

Authorization Code Redirection URI Check Too Strict #129

Druotic opened this issue Dec 27, 2019 · 2 comments

Comments

@Druotic
Copy link

Druotic commented Dec 27, 2019

AFAIK, there's nothing in the spec that indicates an intermediary redirect during the authorization code grant flow should be disallowed. Assuming I'm using the library correctly, I believe this library (basically) disallows it at this line - https://github.com/mulesoft/js-client-oauth2/blob/master/src/client-oauth2.js#L588

That line forces the original redirectUri pathname to match the pathname after the final redirect (the one that this library is loaded on). Well, technically it doesn't forbid an intermediary redirect, but it does require the first redirect to use the same pathname as the final. Is there any reason to not just remove that check? Per the oauth2 spec, the authorization server should be handling any security concerns around redirect URI domains. I'm not sure why the path would need to match - these seem independent to me.

Am I missing a reason to keep it?

edit: if no one has any concerns, I'm happy to make the change. It should be a very small change.

Druotic pushed a commit to Druotic/js-client-oauth2 that referenced this issue Dec 27, 2019
@Druotic
Copy link
Author

Druotic commented Dec 27, 2019

The change was so small, I went ahead and put up a PR.

I only addressed the concern in the authorization code flow since that is the flow I am using. However, I'm happy to update the other flow(s) as appropriate - I didn't bother doing it yet since I haven't heard back on the original proposal yet. Let me know if this is something that you'd like to see in all flows.

@Druotic
Copy link
Author

Druotic commented Jan 2, 2020

We're using this change internally (via a fork) and it has worked great for us so far. Let me know if there's anything you'd like to see changed - I'd be happy to address any feedback.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
1 participant