Handle redirect_uri according to OAuth 2 spec (!281) · Merge requests · oauth-xx / oauth2

Bo Jeanes requested to merge github/fork/covidence/send-redirect_uri-for-token-exchange into master Dec 01, 2016

Passing redirect_uri to authorization server at grant time is optional (though encouraged and very commonly enforced by providers). However, if it is passed (as it often is) it is REQUIRED to be passed when using the grant code to get an access token.

This change allows a user to optionally provide a redirect_uri when configuring the client to have it passed as a parameter in both the redirect to the authorization server and the later token exchange.

Relevant sections of the spec:

https://tools.ietf.org/html/rfc6749#section-4.1
https://tools.ietf.org/html/rfc6749#section-4.1.3
https://tools.ietf.org/html/rfc6749#section-4.2.1
https://tools.ietf.org/html/rfc6749#section-10.6

This change is backwards compatible, its use is optional, and it handles more of the spec so that the user does not have to.

Note: this will conflict with #280. If both are cleared for merging, I'll be happy to rebase the other for a clean merge promptly.

Handle redirect_uri according to OAuth 2 spec

Merge request reports