You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the OAuth 2.0 specification, it is very clear that redirect_uri's must be compared with simple string comparison: i.e., the strings must be exactly equal, without any parsing or manipulation. (even though RFC 3986 does contain other comparison mechanisms, OAuth expects simple string comparison)
Whilst changing Doorkeeper to be inline with the specification and security best current practices would be a major breaking change, it would improve the security of all users of Doorkeeper.
The text was updated successfully, but these errors were encountered:
Doorkeeper currently allows for various non-standard practices around redirect URIs, such as ignoring order of query string parameters: https://github.com/doorkeeper-gem/doorkeeper/blob/main/lib/doorkeeper/oauth/helpers/uri_checker.rb#L22-L28
In the OAuth 2.0 specification, it is very clear that redirect_uri's must be compared with simple string comparison: i.e., the strings must be exactly equal, without any parsing or manipulation. (even though RFC 3986 does contain other comparison mechanisms, OAuth expects simple string comparison)
In OAuth 2.0 Security Best Current Practices this is reiterated, since things like wildcard redirects and non-simple string comparison can lead to Redirect URI Validation Attacks on Authorization Code Grant.
Whilst changing Doorkeeper to be inline with the specification and security best current practices would be a major breaking change, it would improve the security of all users of Doorkeeper.
The text was updated successfully, but these errors were encountered: