If you have a client with a registered redirect URI and you specify an invalid redirect when requesting an authorization code, the invalid redirect URI will be detected but the client is redirected to the invalid URI anyway, with an error appended.
Here's an example using sparklr:
my-client-with-registered-redirect has a registered redirect URI of http://anywhere
- Sign in and authorize
- Client is redirected to http://www.google.com/?error=redirec...lid%20redirect
The draft spec says,
Does anyone know if there is an existing bug or TODO against this for spring-security-oauth?If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error, and MUST NOT automatically redirect the user-agent to the invalid redirection URI.