You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@oltu.apache.org by "Stein Welberg (JIRA)" <ji...@apache.org> on 2015/09/23 21:20:04 UTC

[jira] [Comment Edited] (OLTU-109) OAuthTokenRequest unnecessarily requires the "redirect_uri" parameter

    [ https://issues.apache.org/jira/browse/OLTU-109?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14905072#comment-14905072 ] 

Stein Welberg edited comment on OLTU-109 at 9/23/15 7:19 PM:
-------------------------------------------------------------

I have changed the opinion that I stated two years ago ;-). I also don't think it is the responsibility of Oltu to maintain this state.  A better (and safer) solution is to force clients to always send the redirect_uri. This also makes for an easier implementation on the server side. Imho this issue can be closed and marked as "Won't fix" for the reasons stated in the comments.


was (Author: steinwelberg):
I come back at my opinion stated two years ago ;-). I also don't think it is the responsibility of Oltu to maintain this state.  A better (and safer) solution is to force clients to always send the redirect_uri. This also makes for an easier implementation on the server side. Imho this issue can be closed and marked as "Won't fix" for the reasons stated in the comments.

> OAuthTokenRequest unnecessarily requires the "redirect_uri" parameter
> ---------------------------------------------------------------------
>
>                 Key: OLTU-109
>                 URL: https://issues.apache.org/jira/browse/OLTU-109
>             Project: Apache Oltu
>          Issue Type: Bug
>          Components: oauth2-authzserver
>    Affects Versions: oauth2-0.22
>         Environment: Authorization Server
>            Reporter: John Jenkins
>             Fix For: oauth2-0.31
>
>
> The OAuthTokenRequest(HttpServletRequest) constructor will inappropriately fail if the "redirect_uri" parameter is missing. This is only required if the "redirect_uri" was given in the previous, "code" request. From the specification (section 4.1.3):
> redirect_uri
>          REQUIRED, if the "redirect_uri" parameter was included in the
>          authorization request as described in Section 4.1.1, and their
>          values MUST be identical.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)