[SHINDIG-1943] Reversed condition in AuthCodeGrantValidator#validateRequest() - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.5.0, 2.5.0-update1
Fix Version/s: 2.5.1
Component/s: None
Labels:
None

Description

_See also discussion at http://www.mail-archive.com/dev@shindig.apache.org/msg08159.html _

AuthCodeGrantValidator#validateRequest() is (part of) the implementation of section 4.1.3 in RFC 6749 (actually http://tools.ietf.org/html/draft-ietf-oauth-v2-21#section-4.1.3).

In that section it is stated that the authorization server should

ensure that the "redirect_uri" parameter is present if the
"redirect_uri" parameter was included in the initial authorization
request as described in Section 4.1.1, and if included ensure that
their values are identical.

In shindig however the condition is reversed: it instead checks the redirect_uri only if it is given in the current request, but not whether it was given in the authorization request.

Attached patch fixes that, and also adds a package-info.java file to point to the relevant specification (OAuth 2.0 is still a draft, and might change).

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

shindig-1943-validator.diff
17/Oct/13 13:32
1.0 kB
Andreas Kohn
shindig-oauth2-package-info.diff
17/Oct/13 13:32
0.6 kB
Andreas Kohn

Activity

People

Assignee:: Ryan Baxter

Reporter:: Andreas Kohn

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 17/Oct/13 13:29

Updated:: 25/Feb/14 14:42

Resolved:: 25/Feb/14 14:42