diff --git a/lib/doorkeeper/oauth/authorization_code_request.rb b/lib/doorkeeper/oauth/authorization_code_request.rb index b3f3a7c23..9024ddfec 100644 --- a/lib/doorkeeper/oauth/authorization_code_request.rb +++ b/lib/doorkeeper/oauth/authorization_code_request.rb @@ -59,7 +59,7 @@ def validate_params @missing_param = if grant&.uses_pkce? && code_verifier.blank? :code_verifier - elsif redirect_uri.blank? + elsif redirect_uri.blank? && !allow_blank_redirect_uri? :redirect_uri end @@ -77,6 +77,14 @@ def validate_grant end def validate_redirect_uri + # 4.1.3. Access Token Request + # redirect_uri + # REQUIRED, if the "redirect_uri" parameter was included in the + # authorization request as described in Section 4.1.1, and their + # values MUST be identical. + # + return true if redirect_uri.nil? && allow_blank_redirect_uri? + Helpers::URIChecker.valid_for_authorization?( redirect_uri, grant.redirect_uri, @@ -109,6 +117,12 @@ def custom_token_attributes_with_data .slice(*Doorkeeper.config.custom_access_token_attributes) .symbolize_keys end + + def allow_blank_redirect_uri? + return @client_requires_redirect_uri if defined?(@client_requires_redirect_uri) + + @client_requires_redirect_uri = grant&.redirect_uri.blank? + end end end end diff --git a/lib/doorkeeper/oauth/pre_authorization.rb b/lib/doorkeeper/oauth/pre_authorization.rb index 7961a36e9..ef4991f6e 100644 --- a/lib/doorkeeper/oauth/pre_authorization.rb +++ b/lib/doorkeeper/oauth/pre_authorization.rb @@ -98,7 +98,31 @@ def validate_resource_owner_authorize_for_client end def validate_redirect_uri - return false if redirect_uri.blank? + # 4.1.1. Authorization Request + # + # redirect_uri + # OPTIONAL. As described in Section 3.1.2. + # + # @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1 + # + if redirect_uri.nil? + # 3.1.2.3. Dynamic Configuration + # + # If multiple redirection URIs have been registered, if only part of + # the redirection URI has been registered, or if no redirection URI has + # been registered, the client MUST include a redirection URI with the + # authorization request using the "redirect_uri" request parameter. + # + # @see https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2.3 + # + if client.redirect_uri.blank? + @missing_param = :redirect_uri + return false + else + @redirect_uri = client.redirect_uri + return true + end + end Helpers::URIChecker.valid_for_authorization?( redirect_uri,