Uploaded image for project: 'Spring Security OAuth'
  1. Spring Security OAuth
  2. SECOAUTH-168

Check redirect URI and compare with registered URI (a la Facebook)

    XMLWordPrintable

Details

    • New Feature
    • Status: Resolved
    • Major
    • Resolution: Complete
    • None
    • 1.0.0.M6
    • OAuth 2
    • None

    Description

      A strict equality check isn't necessary to get a lot of the benefits of a pre-registered redirect - CSRF is difficult or impossible if the server simply compares the user-supplied URI and checks that it is "owned" by the registered client (i.e. it starts with the same host and path).

      Attachments

        Activity

          People

            david_syer Dave Syer
            david_syer Dave Syer
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: