Should redirect uri check ignore query params?
patrick91 opened this issue · comments
Patrick Arminio commented
I was trying to setup buffer today, and their redirect uri looks something like this: https://account.buffer.com/channels/connect?connectingMastodon=true&server=serverName&followBuffer=false
Which seems to break the check in here:
Lines 91 to 97 in 1ceef59
Putting the full URL worked in the application object worked, so I was wondering if we should ignore query params 😊
Andrew Godwin commented
That's strictly against the OAuth spec:
redirect_uri
REQUIRED, if the "redirect_uri" parameter was included in the
authorization request as described in [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1), and their
values MUST be identical.
If it's just Buffer, I'm not entirely inclined to fix it unless other stuff starts doing it too?