wordpress-indieauth icon indicating copy to clipboard operation
wordpress-indieauth copied to clipboard

Published 20 hours ago verified publisher icon indieweb

Redirect_URI allowlist

Open dshanske opened this issue 7 years ago • 5 comments

Currently, the plugin only supports redirect_uris on the same domain as the client_id. The spec calls for having the client_id have a allowlist of acceptable redirect_uris that can be polled. This is not yet supported.

@aaronpk alternatively alllows this to be overridden by issuing a warning in the authorization screen, as opposed to what the plugin does, which is reject it.

https://indieauth.spec.indieweb.org/#redirect-url

dshanske avatar Apr 25 '18 23:04 dshanske

Here's what my auth endpoint shows when there is a mismatch.

screenshot 2018-04-26 06 43 37

If the redirect_uri and client_id have the same domain then that notice is not shown.

aaronpk avatar Apr 26 '18 13:04 aaronpk

In case people are searching for the error message they see, the wordpress plugin currently shows this when encountering this error:

{"error":"invalid_grant","error_description":"Redirect not on same host as client"}

aaronpk avatar May 03 '18 15:05 aaronpk

I'm currently experiencing this issue with Indigenous.

miklb avatar May 23 '18 15:05 miklb

This was changed in version 2.0.2

dshanske avatar May 23 '18 15:05 dshanske

The issue is still open as it warns, but doesn't check for a allowlist

dshanske avatar May 23 '18 15:05 dshanske