From 34fcd43ec3a25c2aa3e9e46ea16b832d1675b766 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Chalet?= Date: Mon, 30 Sep 2019 16:16:28 +0200 Subject: [PATCH] Infer the redirect_uri from the registered addresses when no explicit value is provided --- ...OpenIddictServerHandlers.Authentication.cs | 24 ++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/src/OpenIddict.Server/OpenIddictServerHandlers.Authentication.cs b/src/OpenIddict.Server/OpenIddictServerHandlers.Authentication.cs index 571d983b..c8b6d314 100644 --- a/src/OpenIddict.Server/OpenIddictServerHandlers.Authentication.cs +++ b/src/OpenIddict.Server/OpenIddictServerHandlers.Authentication.cs @@ -1221,7 +1221,29 @@ namespace OpenIddict.Server throw new InvalidOperationException("The client application details cannot be found in the database."); } - // Ensure that the specified redirect_uri is valid and is associated with the client application. + // If no explicit redirect_uri was specified, retrieve the addresses associated with + // the client and ensure exactly one redirect_uri was attached to the client definition. + if (string.IsNullOrEmpty(context.RedirectUri)) + { + var addresses = await _applicationManager.GetRedirectUrisAsync(application); + if (addresses.Length != 1) + { + context.Logger.LogError("The authorization request was rejected because " + + "the mandatory 'redirect_uri' parameter was missing."); + + context.Reject( + error: Errors.InvalidRequest, + description: "The mandatory 'redirect_uri' parameter is missing."); + + return; + } + + context.SetRedirectUri(addresses[0]); + + return; + } + + // Otherwise, ensure that the specified redirect_uri is valid and is associated with the client application. if (!await _applicationManager.ValidateRedirectUriAsync(application, context.RedirectUri)) { context.Logger.LogError("The authorization request was rejected because the redirect_uri " +