-
assigned issue to
John Bradley
Messages - Does OIDC invalid_redirect_uri error override default OAuth 2.0 behaviour?
Issue #684
resolved
Hi guys,
OAuth 2.0 states that if the authorisation request has a "missing, invalid, or mismatching redirection URI" an error message should be presented to the end-user and redirection should not occur.
http://tools.ietf.org/html/rfc6749#section-4.1.2.1
I suppose "mismatching" is to mean an URI that has not been registered with the OP?
OIDC seems to override the OAuth 2.0 behaviour on "mismatching" redirect URI and requires instead an error code to be returned to the client:
http://openid.bitbucket.org/openid-connect-messages-1_0.html#anchor6
invalid_redirect_uri The redirect_uri in the Authorization Request does not match any of the Client's pre-registered redirect_uris.
Am I interpreting the spec correctly?
If yes, the current "invalid" qualifier in "invalid_redirect_uri" sounds a bit ambiguous as it may also mean that the URI doesn't parse correctly. Perhaps "redirect_uri_not_registered" would be a better match for this error condition.
Comments (2)
-
-
- changed status to resolved
Fixes
#684Removed error response in redirect to client if the redirect_uri is wrong to align with OAuth.→ <<cset a0d574a1940d>>
- Log in to comment
We should do what OAuth requires - John will update