Skip to content

Commit

Permalink
Make redirect_uri optional for Authorization request
Browse files Browse the repository at this point in the history
  • Loading branch information
nbulaj committed Mar 14, 2024
1 parent e93f2d7 commit 85de562
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 2 deletions.
16 changes: 15 additions & 1 deletion lib/doorkeeper/oauth/authorization_code_request.rb
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ def validate_params
@missing_param =
if grant&.uses_pkce? && code_verifier.blank?
:code_verifier
elsif redirect_uri.blank?
elsif redirect_uri.blank? && !allow_blank_redirect_uri?
:redirect_uri
end

Expand All @@ -77,6 +77,14 @@ def validate_grant
end

def validate_redirect_uri
# 4.1.3. Access Token Request
# redirect_uri
# REQUIRED, if the "redirect_uri" parameter was included in the
# authorization request as described in Section 4.1.1, and their
# values MUST be identical.
#
return true if redirect_uri.nil? && allow_blank_redirect_uri?

Helpers::URIChecker.valid_for_authorization?(
redirect_uri,
grant.redirect_uri,
Expand Down Expand Up @@ -109,6 +117,12 @@ def custom_token_attributes_with_data
.slice(*Doorkeeper.config.custom_access_token_attributes)
.symbolize_keys
end

def allow_blank_redirect_uri?
return @client_requires_redirect_uri if defined?(@client_requires_redirect_uri)

@client_requires_redirect_uri = grant&.redirect_uri.blank?
end
end
end
end
26 changes: 25 additions & 1 deletion lib/doorkeeper/oauth/pre_authorization.rb
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,31 @@ def validate_resource_owner_authorize_for_client
end

def validate_redirect_uri
return false if redirect_uri.blank?
# 4.1.1. Authorization Request
#
# redirect_uri
# OPTIONAL. As described in Section 3.1.2.
#
# @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
#
if redirect_uri.nil?
# 3.1.2.3. Dynamic Configuration
#
# If multiple redirection URIs have been registered, if only part of
# the redirection URI has been registered, or if no redirection URI has
# been registered, the client MUST include a redirection URI with the
# authorization request using the "redirect_uri" request parameter.
#
# @see https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2.3
#
if client.redirect_uri.blank?
@missing_param = :redirect_uri
return false
else
@redirect_uri = client.redirect_uri
return true
end
end

Helpers::URIChecker.valid_for_authorization?(
redirect_uri,
Expand Down

0 comments on commit 85de562

Please sign in to comment.