AuthenticationRequest fails to parse request with redirect_uri in request object

AuthenticationRequest.parse throws an exception if it can't find a redirect_uri parameter in the query. This is too strict, as although the redirect_uri is required, it is permitted to pass it via the request or request_uri parameters instead of including it in the URI.

An example of this is shown in section 6.2.2: http://openid.net/specs/openid-connect-core-1_0.html#UseRequestUri

This code attempts to parse the query from the example in 6.2.2, but fails with a ParseException at line 1050:

        String query =
            "response_type=code%20id_token" +
            "&client_id=s6BhdRkqt3" +
            "&request_uri=https%3A%2F%2Fclient.example.org%2Frequest.jwt" +
            "%23GkurKxf5T0Y-mnPFCHqWOMiZi4VS138cQO_V7PZHAdM" +
            "&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj" +
            "&scope=openid";
        AuthenticationRequest request = AuthenticationRequest.parse(query);

Comments (3)