Skip to content
This repository has been archived by the owner on Jul 31, 2024. It is now read-only.

Error Response with invalid redirection URI #4075

Closed
user1336 opened this issue Feb 11, 2020 · 3 comments · Fixed by #4095
Closed

Error Response with invalid redirection URI #4075

user1336 opened this issue Feb 11, 2020 · 3 comments · Fixed by #4095
Assignees
Labels
Milestone

Comments

@user1336
Copy link
Contributor

user1336 commented Feb 11, 2020

In the OAuth authorization_code flow, when validating the redirect_uri on the token endpoint, why do we return an unauthorized_client when the redirect_uri is invalid.
Shouldn't this be an invalid_grant according to the spec:

"invalid_grant
The provided authorization grant (e.g., authorization
code, resource owner credentials) or refresh token is
invalid, expired, revoked, does not match the redirection
URI used in the authorization request, or was issued to
another client."
https://tools.ietf.org/html/rfc6749#section-5.2

Edit: mixed the authorize and token endpoint error-responses.

@leastprivilege
Copy link
Member

Yep. seems you are right. invalid_grant would be the better error response.

@leastprivilege leastprivilege self-assigned this Feb 18, 2020
@leastprivilege leastprivilege added this to the 4.0 milestone Feb 18, 2020
@user1336
Copy link
Contributor Author

I'll submit a PR!

@lock
Copy link

lock bot commented May 5, 2020

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked as resolved and limited conversation to collaborators May 5, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants