RedirectURI prefix validation
KushNaseeb opened this issue · 2 comments
Is there a reason for only validating the prefix of redirectURI with the registered baseURI instead of validating the exact URL? As per Oauth2 RFC, baseURI should be identical with redirectURI, then why only the prefix validation?
The prefix validation was considered practical in the past as you would specify a single URL per domain and your client could redirect freely within it.
This practice, however, is currently frowned upon and exact matching is recommended by current BCP documents. I suppose that if we were to consider creating a v2 for this library, exact redirect URI matching and contexts in all Storage calls would be the two features that would come to my mind.
I actually expect some work to be done to the redirect URI validation in the near future, I wonder whether we could possibly include exact redirect URI matching there, too.
Thanks for clarifying @stlaz