Part 2: Require redirect_uri to be inside signed request object

#42 · Created  · Last updated

Merged pull request

Merged in josephheenan/fapi/redirect_uri_inside_request_obj (pull request #42)

  • 9cd0531
  • Author:
  • Closed by:
  • 2018-02-07


fixes #128 (or at least fixes the only part it seems we can current fix)

This should help mitigate any attacks that require changing the redirect_uri.

The redirect_uri appears to still be required as a parameter outside the request object for compliance with the current underlying OAuth RFC (although my personal opinion is that this is not clearly stated in the specifications).

The OIDC Core spec is already clear on behaviour in the case where redirect_uri is present in both location:

"When the request parameter is used, the OpenID Connect request parameter values contained in the JWT supersede those passed using the OAuth 2.0 request syntax."

0 attachments

Loading commits...