authentication icon indicating copy to clipboard operation
authentication copied to clipboard

Published 20 hours ago verified publisher icon WP-API

Evaluate URL comparison

Open TimothyBJacobs opened this issue 5 years ago • 0 comments

There are two main places where we compare URLs against each other to ensure they match in someway.

  1. Dynamic Clients. We make sure that the client_uri ( which is what we display in the UI ) is the same host as the redirect_uris and other uris. This currently uses parse_url( PHP_URL_HOST ). Can this be spoofed?

  2. Redirect URIs. We check that the requested redirect_uri is one of the whitelisted redirect_uris. Is this an accurate check?

TimothyBJacobs avatar May 21 '20 17:05 TimothyBJacobs