Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make redirect_uri optional for Authorization request #1701

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 15 additions & 1 deletion lib/doorkeeper/oauth/authorization_code_request.rb
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ def validate_params
@missing_param =
if grant&.uses_pkce? && code_verifier.blank?
:code_verifier
elsif redirect_uri.blank?
elsif redirect_uri.blank? && !allow_blank_redirect_uri?
:redirect_uri
end

Expand All @@ -77,6 +77,14 @@ def validate_grant
end

def validate_redirect_uri
# 4.1.3. Access Token Request
# redirect_uri
# REQUIRED, if the "redirect_uri" parameter was included in the
# authorization request as described in Section 4.1.1, and their
# values MUST be identical.
#
return true if redirect_uri.nil? && allow_blank_redirect_uri?

Helpers::URIChecker.valid_for_authorization?(
redirect_uri,
grant.redirect_uri,
Expand Down Expand Up @@ -109,6 +117,12 @@ def custom_token_attributes_with_data
.slice(*Doorkeeper.config.custom_access_token_attributes)
.symbolize_keys
end

def allow_blank_redirect_uri?
return @client_requires_redirect_uri if defined?(@client_requires_redirect_uri)

@client_requires_redirect_uri = grant&.redirect_uri.blank?
end
end
end
end
26 changes: 25 additions & 1 deletion lib/doorkeeper/oauth/pre_authorization.rb
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,31 @@ def validate_resource_owner_authorize_for_client
end

def validate_redirect_uri
return false if redirect_uri.blank?
# 4.1.1. Authorization Request
#
# redirect_uri
# OPTIONAL. As described in Section 3.1.2.
#
# @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
#
if redirect_uri.nil?
# 3.1.2.3. Dynamic Configuration
#
# If multiple redirection URIs have been registered, if only part of
# the redirection URI has been registered, or if no redirection URI has
# been registered, the client MUST include a redirection URI with the
# authorization request using the "redirect_uri" request parameter.
#
# @see https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2.3
#
if client.redirect_uri.blank?
@missing_param = :redirect_uri
return false
else
@redirect_uri = client.redirect_uri
return true
end
end

Helpers::URIChecker.valid_for_authorization?(
redirect_uri,
Expand Down
Loading