-
-
Notifications
You must be signed in to change notification settings - Fork 358
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error response doesn't follow spec #8
Comments
Nice catch :) But you can be sure that all of AuthorizeRequest's parameters are already validated. This for example is covered here and more specifically here. But due to your inquiry I found another issue where in fact the AuthorizeRequest will be nil if an error occurs in |
They are validated but then that method returns an error which as per the README is passed to
|
Ha! Got it, nice catch! This should do, right? if ar.GetRedirectURI().String() == "" || err == ErrInvalidRequest {
pkg.WriteJSON(rw, rfcerr)
return
} It might be smarter and more transparent making validation explicit: if !ar.HasValidRedirectURL() {
pkg.WriteJSON(rw, rfcerr)
return
} As promised, check the Hall of Fame |
chore: upgrade go-jose dependency
I appreciate this is still under heavy development and this is likely just not implemented yet but thought I'd add it here so that it doesn't get lost, library looks really good so far.
As per the spec:
Currently the redirect uri is used for all errors except a missing redirect_uri. Potential attack could be a
redirect_uri
ofjavascript:evil();
to perform XSS.The text was updated successfully, but these errors were encountered: