redirect_uri not compliant with RFC6749

This topic has 0 replies, 1 voice, and was last updated 3 years, 3 months ago by safwen.

  • Author
  • #26010

    As described in the documentation:

    > * **Requesting an access token**
    … As can be seen from the RFC, the grant_type, code, redirect_uri and client_id are required parameters. client_secret is also required to allow the client to authenticate with the authorization server.

    However, in the RFC it is mentioned that:
    > * **4.1.3. Access Token Request:**
    > redirect_uri
    REQUIRED, **if** the “redirect_uri” parameter was included in the
    authorization request as described in Section 4.1.1, and their
    values MUST be identical.

    Where in 4.4.1:
    > * **4.4.1 Authorization Request**:
    OPTIONAL. As described in Section 3.1.2.

    So finally unlike OpenAm documentation, in the “Access Token Request” the redirect_uri should only be required if it was present in the “Authorization Request”.

    I did not have the chance to test how it is really implemented, but from the documentation, I can say this is something to fix

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?