You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Due to https://tools.ietf.org/html/rfc3986#section-3.1 the + character is allowed in URL schemes. So web+application://callback should be a valid callback URL. Using this for the OAuth2 authorization code flow results in:
Reproducing the bug
Steps to reproduce the behavior:
Create a client in Hydra, containing a plus in the redirect_uris:
time=2020-09-14T09:42:37Z level=error msg=An error occurred audience=application error=map[message:invalid_request reason:The "redirect_uri" parameter does not match any of the OAuth 2.0 Client's pre-registered redirect urls. status:Bad Request status_code:400] http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 accept-encoding:gzip, deflate accept-language:de-de user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15] host:localhost:9000 method:GET path:/oauth2/auth query:client_id=application&redirect_uri=web+application://callback&response_type=code&state=3d1pwr0z&scopes=openid remote:172.22.0.1:59436 scheme:http] service_name= service_version=
Describe the bug
Due to https://tools.ietf.org/html/rfc3986#section-3.1 the + character is allowed in URL schemes. So web+application://callback should be a valid callback URL. Using this for the OAuth2 authorization code flow results in:
Reproducing the bug
Steps to reproduce the behavior:
Server logs
Server configuration
Dockerfile
.env
Expected behavior
The usual /oauth2/auth response without error.
Environment
Additional context
Discussion in Ory Community: https://community.ory.sh/t/redirect-url-containing-plus-character/2158
The text was updated successfully, but these errors were encountered: