You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jan 20, 2024. It is now read-only.
That line forces the original redirectUri pathname to match the pathname after the final redirect (the one that this library is loaded on). Well, technically it doesn't forbid an intermediary redirect, but it does require the first redirect to use the same pathname as the final. Is there any reason to not just remove that check? Per the oauth2 spec, the authorization server should be handling any security concerns around redirect URI domains. I'm not sure why the path would need to match - these seem independent to me.
Am I missing a reason to keep it?
edit: if no one has any concerns, I'm happy to make the change. It should be a very small change.
The text was updated successfully, but these errors were encountered:
Druotic
pushed a commit
to Druotic/js-client-oauth2
that referenced
this issue
Dec 27, 2019
The change was so small, I went ahead and put up a PR.
I only addressed the concern in the authorization code flow since that is the flow I am using. However, I'm happy to update the other flow(s) as appropriate - I didn't bother doing it yet since I haven't heard back on the original proposal yet. Let me know if this is something that you'd like to see in all flows.
We're using this change internally (via a fork) and it has worked great for us so far. Let me know if there's anything you'd like to see changed - I'd be happy to address any feedback.
AFAIK, there's nothing in the spec that indicates an intermediary redirect during the authorization code grant flow should be disallowed. Assuming I'm using the library correctly, I believe this library (basically) disallows it at this line - https://github.com/mulesoft/js-client-oauth2/blob/master/src/client-oauth2.js#L588
That line forces the original redirectUri pathname to match the pathname after the final redirect (the one that this library is loaded on). Well, technically it doesn't forbid an intermediary redirect, but it does require the first redirect to use the same pathname as the final. Is there any reason to not just remove that check? Per the oauth2 spec, the authorization server should be handling any security concerns around redirect URI domains. I'm not sure why the path would need to match - these seem independent to me.
Am I missing a reason to keep it?
edit: if no one has any concerns, I'm happy to make the change. It should be a very small change.
The text was updated successfully, but these errors were encountered: