Add redirect_uri check for code, state, etc not present in the optional query params
Issue #433
resolved
See OSW talk Thursday:
https://oauth.secworkshop.events/osw2023/agenda-thursday
OAuth 2.0 Redirect URI Validation Falls Short, Literally
Tommaso Innocenti, Matteo Golinelli, Kaan Onarlioglu, Bruno Crispo, Engin Kirda
Comments (2)
-
-
- changed status to resolved
Completed with: b6105769095b9a485c82e93a6f09e52e6a95f338
- Log in to comment
Adds ClientMetadata.PROHIBITED_REDIRECT_URI_QUERY_PARAMETER_NAMES, updates ClientMetadata to reject "redirect_uris" with query parameters "code", "state" or "response": d9ac68eb6171f917ef43c2871f173a7ca78245ba