[CXF-4883] OAuth2 RedirectionBasedService needs to do only a strict comparison of redirect URI - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.7.4, 2.6.7, 3.0.0-milestone1
Component/s: JAX-RS, JAX-RS Security
Labels:
None

Estimated Complexity:
Unknown

Description

At the moment, RedirectionBasedService (authorization & implicit flows) will use the client application URI if other registered redirect URIs do not match the current redirect URI.
For example, if the client application URI is "https://photos.com", and the current redirectUri is "https://photos.com/1?a=2" then the check will pass as "https://photos.com/1?a=2" starts from "https://photos.com".
OAuth2 experts have strongly recommended recently to use the strict comparison only, which is what this service will do from now on

Attachments

Activity

People

Assignee:: Sergey Beryozkin

Reporter:: Sergey Beryozkin

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 07/Mar/13 13:06

Updated:: 09/Apr/13 15:15

Resolved:: 07/Mar/13 13:42