[openstreetmap/openstreetmap-website] OAuth 2: requiring `rederict_uri` is not compliant to RFC 6749 (Issue #4363)

Tobias Zwick notifications at github.com
Wed Nov 22 12:20:34 UTC 2023 

### URL

_No response_

### How to reproduce the issue?

### Reproduction

1. When making a an OAuth2 authorization request, omit the `redirect_uri`. E.g. open https://master.apis.dev.openstreetmap.org/oauth2/authorize?response_type=code&client_id=nOkiqW1fUHssu_e0Qbk6yLx7659s19CUx3nGmOP5JZk&scope=read_prefs in the browser

2. Authorization server responds with "The requested redirect uri is malformed or doesn't match client redirect URI."

## Description

This does not seem to be compliant to [RFC 6749 -  The OAuth 2.0 Authorization Framework](https://datatracker.ietf.org/doc/html/rfc6749):

- **[4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1). Authorization Request** lists `redirect_uri` as OPTIONAL 

- **[4.1.3](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3). Access Token Request** lists `redirect_uri` only as REQUIRED if it was supplied in the authorization request

- **[3.1.2.3](https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2.3). Dynamic Configuration** clarifies that only if no redirection URI has been registered for the client, a `redirect_uri` MUST be included in the authorization request. (_When_ a`redirect_uri` is included in an authorization request, the authorization server MUST compare and match the value received against at least one of the registered redirection URIs)

- **[3.1.2.2](https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2.2).  Registration Requirements** specifies that public clients MUST specify their redirect endpoint upon registration.

  In fact, OpenStreetMap currently enforces that **any** client, even confidential ones, have to specify (at least one) redirect uri upon registration:
  ![image](https://github.com/openstreetmap/openstreetmap-website/assets/4661658/fd42660b-926f-46dd-9754-45d3702274ce)


### Screenshot(s) or anything else?

_No response_

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/4363
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/issues/4363 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20231122/189fe464/attachment-0001.htm>

More information about the rails-dev mailing list