Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RedirectURI prefix validation #209

Closed
KushNaseeb opened this issue Feb 3, 2022 · 2 comments
Closed

RedirectURI prefix validation #209

KushNaseeb opened this issue Feb 3, 2022 · 2 comments

Comments

@KushNaseeb
Copy link

Is there a reason for only validating the prefix of redirectURI with the registered baseURI instead of validating the exact URL? As per Oauth2 RFC, baseURI should be identical with redirectURI, then why only the prefix validation?
@stlaz
Copy link
Contributor

stlaz commented Feb 3, 2022

The prefix validation was considered practical in the past as you would specify a single URL per domain and your client could redirect freely within it.

This practice, however, is currently frowned upon and exact matching is recommended by current BCP documents. I suppose that if we were to consider creating a v2 for this library, exact redirect URI matching and contexts in all Storage calls would be the two features that would come to my mind.

I actually expect some work to be done to the redirect URI validation in the near future, I wonder whether we could possibly include exact redirect URI matching there, too.

@KushNaseeb
Copy link
Author

Thanks for clarifying @stlaz

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stlaz @KushNaseeb