Add comment for ContainsRedirectURI about the exact match (#30457)

author wxiaoguang <wxiaoguang@gmail.com>

Sat, 13 Apr 2024 09:31:40 +0000 (17:31 +0800)

committer GitHub <noreply@github.com>

Sat, 13 Apr 2024 09:31:40 +0000 (09:31 +0000)
author wxiaoguang <wxiaoguang@gmail.com>
Sat, 13 Apr 2024 09:31:40 +0000 (17:31 +0800)
committer GitHub <noreply@github.com>
Sat, 13 Apr 2024 09:31:40 +0000 (09:31 +0000)
diff --git a/models/auth/oauth2.go b/models/auth/oauth2.go

index 9d53fffc78695d6d4651a825677d5b19378b8964..bc1bcaef63210df260fe7ccdc0078d6ef8fec440 100644 (file)
--- a/models/auth/oauth2.go
+++ b/models/auth/oauth2.go
@@ -137,6 +137,11 @@ func (app *OAuth2Application) TableName() string {
  
  // ContainsRedirectURI checks if redirectURI is allowed for app
  func (app *OAuth2Application) ContainsRedirectURI(redirectURI string) bool {
+       // OAuth2 requires the redirect URI to be an exact match, no dynamic parts are allowed.
+       // https://stackoverflow.com/questions/55524480/should-dynamic-query-parameters-be-present-in-the-redirection-uri-for-an-oauth2
+       // https://www.rfc-editor.org/rfc/rfc6819#section-5.2.3.3
+       // https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
+       // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-12#section-3.1
         contains := func(s string) bool {
                 s = strings.TrimSuffix(strings.ToLower(s), "/")
                 for _, u := range app.RedirectURIs {
author	wxiaoguang <wxiaoguang@gmail.com>
	Sat, 13 Apr 2024 09:31:40 +0000 (17:31 +0800)
committer	GitHub <noreply@github.com>
	Sat, 13 Apr 2024 09:31:40 +0000 (09:31 +0000)