David Ramos

Here's an example vulnerability caused by redirects: https://medium.com/@rootxharsh_90844/vimeo-ssrf-with-code-execution-potential-68c774ba7c1e The TL;DR is that a server-side application can validate a URL before making an outbound HTTP request (e.g., to a webhook server)...

See https://github.com/ramosbugs/oauth2-rs/commit/ec8f921032ff9ba8d827172f6ddcdfc692421e8e for a specific fix when using `reqwest` as the client.

If they follow redirects by default, then yup! SSRF has been growing in popularity in recent years, but unfortunately changing the default redirect behavior is a breaking change, so it's...

the NewType pattern used in these two crates intentionally omits such convenience interfaces in favor of explicitness for the reasons outlined here: https://github.com/ramosbugs/oauth2-rs/issues/112#issuecomment-675801545 > This would make it much more...

hey @lovasoa, great question! as far as I understand that section of the spec, it's meant as an example rather than prescriptive (MUST/SHOULD). I'm really not seeing what security value...

see #306

since `ureq` is re-exported as part of the public interface when the `ureq` feature is enabled, this is a breaking change that would need to wait for the next major...

thanks for the PR! however, as I indicated [here](https://github.com/ramosbugs/oauth2-rs/pull/307#issuecomment-2833140328), this is a breaking change that will either need to wait for the next major version bump (not planned in the...