Enforce redirect_uri by allowed prefix

[ammmir]

Check to make sure that any redirect_uri that is passed in is allowed for that particular client_id.

[RandomEtc]

The existence of req.query.redirect_uri is enforced in /oauth/authorize but isn't used. What's the intended behavior there? All the basic pieces are working for me but it's not feeling totally joined up, I'll try to help clarify usage if I can.

[ammmir]

The existence is enforced, but really the value should be checked to ensure that the redirect_uri is either an exact match or a prefix (application-dependent) of allowed values for that particular client_id.

I'm thinking of adding an enforce_redirect_uri event that will be passed the client_id and redirect_uri so the implementation can itself perform the check.

[RandomEtc]

Apologies, I didn't properly see that var authorize_url = req.url; passes all the existing query parameters through. There was an error in the template code for my own login pages that was confusing me. Sorry for crashing this issue :)

[tj]

+1, going to do this manually for now but the module should definitely require it

[jeromegn]

+1 just stumbled on this.

Perhaps it could be useful to also do something like what's described in the "User agent flow" section of this blog post: http://www.sociallipstick.com/?p=239

The user agent flow is created for applications that cannot embed a secret key. The access token is just returned directly in the redirect response instead of requiring an extra server call. Security is handled in two ways:

• Facebook makes sure that the access token is not sent to a random webserver by validating the redirect_uri matches a pre-registered URL.
• The access token never goes across the wire in the clear. Even if redirect_uri is an HTTP url, the token itself is returned after the fragment (#) and so the browser will never send it to the server.

Basically, if the redirect_uri is present and matches, send an access token directly.