Skip to content

fix(oauth): Require redirect_uri parameter when multiple URIs are registered#99004

Merged
dcramer merged 1 commit into
masterfrom
oauth-redirect-uri-multiple-match
Sep 10, 2025
Merged

fix(oauth): Require redirect_uri parameter when multiple URIs are registered#99004
dcramer merged 1 commit into
masterfrom
oauth-redirect-uri-multiple-match

Conversation

@dcramer

@dcramer dcramer commented Sep 6, 2025

Copy link
Copy Markdown
Member

When an OAuth application has multiple redirect URIs registered, the OAuth 2.0 specification (RFC 6749 §3.1.2.3) requires that clients must provide an exact redirect_uri parameter in their authorization request.

This change enforces that requirement by returning an invalid_request error if no redirect_uri is provided when multiple URIs are registered for the application.

Refs #99002

@dcramer dcramer requested a review from a team as a code owner September 6, 2025 23:28
@github-actions github-actions Bot added the Scope: Backend Automatically applied to PRs that change backend components label Sep 6, 2025
@dcramer
fix(oauth): Require redirect_uri parameter when multiple URIs are reg…
bda94c5 
…istered

When an OAuth application has multiple redirect URIs registered, the OAuth 2.0
specification (RFC 6749 §3.1.2.3) requires that clients must provide an exact
redirect_uri parameter in their authorization request.

This change enforces that requirement by returning an invalid_request error if
no redirect_uri is provided when multiple URIs are registered for the application.

Refs #99002
@dcramer dcramer force-pushed the oauth-redirect-uri-multiple-match branch from 50f5228 to bda94c5 Compare September 6, 2025 23:31
@codecov

codecov Bot commented Sep 6, 2025
edited
Loading

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #99004      +/-   ##
==========================================
- Coverage   81.34%   81.23%   -0.11%     
==========================================
  Files        8544     8538       -6     
  Lines      379244   377152    -2092     
  Branches    23956    23956              
==========================================
- Hits       308485   306372    -2113     
- Misses      70393    70414      +21     
  Partials      366      366

@dcramer dcramer mentioned this pull request Sep 9, 2025
Open
59 tasks
@dcramer dcramer merged commit 2e27978 into master Sep 10, 2025
64 checks passed
@dcramer dcramer deleted the oauth-redirect-uri-multiple-match branch September 10, 2025 17:53
@github-actions github-actions Bot locked and limited conversation to collaborators Sep 26, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@oioki oioki oioki approved these changes

+1 more reviewer

@leedongwei leedongwei leedongwei approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Scope: Backend Automatically applied to PRs that change backend components

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dcramer @oioki @leedongwei