Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-4883

OAuth2 RedirectionBasedService needs to do only a strict comparison of redirect URI

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Unknown

    Description

      At the moment, RedirectionBasedService (authorization & implicit flows) will use the client application URI if other registered redirect URIs do not match the current redirect URI.
      For example, if the client application URI is "https://photos.com", and the current redirectUri is "https://photos.com/1?a=2" then the check will pass as "https://photos.com/1?a=2" starts from "https://photos.com".
      OAuth2 experts have strongly recommended recently to use the strict comparison only, which is what this service will do from now on

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            sergey_beryozkin Sergey Beryozkin
            sergey_beryozkin Sergey Beryozkin
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment