Doorkeeper::Errors::InvalidRedirectUri Raised When No Redirect URI Set

[brent-cybrid]

Steps to reproduce

Create an application with no redirect_uri set, i.e., redirect_uri=nil.

Set allow_blank_redirect_uri = true in the Doorkeeper config.

Hit GET /oauth/authorize with redirect_uri='' or redirect_uri=nil or omit the redirect_uri parameter.

Observe an Doorkeeper::Errors::InvalidRedirectUri exception with the message The requested redirect uri is malformed or doesn't match client redirect URI.

Expected behavior

In versions 5.6.6 and before an authorization code was returned.

Actual behavior

An Doorkeeper::Errors::InvalidRedirectUri exception with the message The requested redirect uri is malformed or doesn't match client redirect URI.

System configuration

Set allow_blank_redirect_uri = true in the Doorkeeper config.

[brent-cybrid]

Has this been looked at?

[nbulaj]

Hey @brent-cybrid .

In versions 5.6.6 and before an authorization code was returned.

I believe it was always like this 🤔

https://github.com/doorkeeper-gem/doorkeeper/blob/main/lib/doorkeeper/oauth/pre_authorization.rb#L100-L107

In any case this behavior should be reviewed ,m more details here #1678

[ThisIsMissEm]

I believe the logic in the spec is that the Application must have a redirect_uri value, however, when doing the authorization request, you can omit it — though behavior when an application has multiple redirect URIs registered is a little unclear; The best information I can find is under "Dynamic Configuration":

If multiple redirection URIs have been registered, if only part of the redirection URI has been registered, or if no redirection URI has been registered, the client MUST include a redirection URI with the authorization request using the "redirect_uri" request parameter.

Refs:

• https://www.rfc-editor.org/rfc/rfc6749.html#section-3.1.2
• https://www.rfc-editor.org/rfc/rfc6749.html#section-3.1.2.3

So the example given where the Application has no redirect_uri's registered AND no redirect_uri is passed to the Authorization Endpoint (GET /oauth/authorize) MUST fail with Doorkeeper::Errors::InvalidRedirectUri

The setting allow_blank_redirect_uri = true only allows for situations where the Application HAS a redirect_uri registered, but none is supplied during the request to the Authorization Endpoint.

[ThisIsMissEm]

So I think this is a "won't fix", but that the issue in #1678 is valid and should be fixed.