OAuth2 Invalid Redirect URI is detected but still redirected anyway

[smitty22s]

If you have a client with a registered redirect URI and you specify an invalid redirect when requesting an authorization code, the invalid redirect URI will be detected but the client is redirected to the invalid URI anyway, with an error appended.

Here's an example using sparklr:

my-client-with-registered-redirect has a registered redirect URI of http://anywhere

1. http://localhost:8080/sparklr/oauth/...www.google.com
2. Sign in and authorize
3. Client is redirected to http://www.google.com/?error=redirec...lid%20redirect

The draft spec says,

If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error, and MUST NOT automatically redirect the user-agent to the invalid redirection URI.

Does anyone know if there is an existing bug or TODO against this for spring-security-oauth?

[Dave Syer]

I don't remember seeing a JIRA issue for that. Please feel free to fix it (I think it can be handled in the AuthorizationEndpoint) and send a pull request (see README for contributor's agreement).

[smitty22s]

Done and done.