-
Notifications
You must be signed in to change notification settings - Fork 951
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invalid redirect_uri handling #163
Comments
I ran into this issue as well. When requesting a code without supplying the redirect URI, the following request for the access token using the returned code should not require a redirect URI. It looks like whenever a Code is requested the redirect_uri is copied from the Client table if not supplied in the code request. When requesting the access token if the redirect_uri field isn't empty, it will fail on access_token request without a redirect API specified. I found a way around this:
I implemented my own storage that never stores the redirect URI in the authorization_code table... This isn't compliant, but I don't require my users to supply it and alway use the redirect url from the client table. |
Thank you for reporting this. On Thu, Jun 20, 2013 at 7:43 AM, Raymond Plante notifications@github.com
|
@raymondjplante I ended up doing the same thing, just wanted to double check whether I'm not doing something wrong :) @bshaffer Sounds reasonable, will look into it after Wednesday next week when I get back to civilization (bad timing, but we had a trip planned for some time now). Unless it's already fixed by then of course :) |
First thing I saw this morning when getting back was an email saying |
According to Access Token Request part of the RFC,
redirect_uri
is required only if it's not included in authorization request. This library is requesting it in token step regardless of whether it was included or not in authorization step. Problematic part of the code is below line:However, if it's commented out, a whole hell breaks loose :) By following example provided with the library, first thing that breaks is:
PDOException: SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'redirect_uri' cannot be null in oauth2-server-php/src/OAuth2/Storage/Pdo.php on line 141
At the same time
enforce_redirect
has to be set tofalse
, otherwise it doesn't work. But then redirect doesn't work since there is noredirect_uri
set at all. I tried looking into fixing it all together, but it seems it's not a simple fix and my knowledge of the library is not good enough yet to not break something else (will try to look into it more in depth next week though).Is this what the behavior of the library should be even though the flow is not OAuth2 compliant? Was is done this way due to some security reasons?
The text was updated successfully, but these errors were encountered: