Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
2.5.0, 2.5.0-update1
-
None
-
None
Description
_See also discussion at http://www.mail-archive.com/dev@shindig.apache.org/msg08159.html _
AuthCodeGrantValidator#validateRequest() is (part of) the implementation of section 4.1.3 in RFC 6749 (actually http://tools.ietf.org/html/draft-ietf-oauth-v2-21#section-4.1.3).
In that section it is stated that the authorization server should
ensure that the "redirect_uri" parameter is present if the
"redirect_uri" parameter was included in the initial authorization
request as described in Section 4.1.1, and if included ensure that
their values are identical.
In shindig however the condition is reversed: it instead checks the redirect_uri only if it is given in the current request, but not whether it was given in the authorization request.
Attached patch fixes that, and also adds a package-info.java file to point to the relevant specification (OAuth 2.0 is still a draft, and might change).