oauth2-server
oauth2-server copied to clipboard
Documentation: AuthCode grant redirect_uri must match authorization request
The documentation states that in Part Two of an Auth Code flow, redirect_uri must contain "the same redirect URI the user was redirect back to".
However, as per https://github.com/thephpleague/oauth2-server/pull/1096, it should actually match the redirect_uri from the authorization request, and it must be omitted if it was not present in that request.
I suggest changing the redirect_uri line in Part Two to:
-
redirect_uri
required if theredirect_uri
parameter was included in Part One, and their values MUST be identical. Otherwise, this parameter must be omitted.