Oauth2 authorization without `redirect_uri` param behaves strangely

[ilsubyeega]

You can authenticate without redirect_uri param on the authentication page. In this case, authentication is possible on the server side only by not including the redirect_uri. I think this is a bit misleading as the documentation doesn't specify that this redirect_uri param is optional.

My proposal is If that param doesn't exist, sending a error or edit the documentation.

1. Create a oauth client that has callback uri
2. Go code authorization page without redirect_uri param
3. Do authorize
4. Goes to callback uri
5. From server side, sending POST /token (with request_uri params) throws invalid redirect_uri

This is happened from my side:

1. Go https://osu.ppy.sh/oauth/authorize?response_type=code&client_id=5496
2. Get code param
3. After requesting with redirect_uri, Gets Error

After removing redirect_uri param from req

Client:

[notbakaneko]

redirect_uri is optional because the Client credential oauth flow doesn't require it.

[ilsubyeega]

redirect_uri is optional because the Client credential oauth flow doesn't require it.

For client_credentials it is, but for grant authorize_code I think it's different: if you look at the picture above, you can see that redirect_uri is not provided to get a token. Even though the authorization page actually redirected them to that redirect_uri.

[nanaya]

yes the documentation needs an update.

Although I think I'd rather have the documentation only listing the endpoints for oauth2 and link to external oauth2 documentation (something like this maybe) for people who want to implement their own client instead of using existing libraries.