DefaultRedirectResolver should perform exact matching on the path component of the redirect_uri.
Hello @jgrandja
What was the reason that paths are now checked exactly? All our configurations are now broken... :-/
@ractive Exact matching on redirect-uri was applied to prevent an Open Redirector attack.
Hello @jgrandja
I understand the intention behind this modification, however I had had a developer oauth server configured with a dummy authenticator that all of the developers could call and this service just redirected back to the caller url. Is it possible to somehow support this requirement?
Thanks @jgrandja
My request was different than #1566. I wanted to support the previous behavior for development even if I know that logic is vulnerable. But I fund the AuthorizationServerEndpointsConfigurer when I could register my CustomRedirectResolver. Thanks
Is there a way to implement this that would allow for wildcards in the redirect url? My application has information in the URLs that is used for tenancy for each customer and I won't be able to use exact redirect matching
Most helpful comment
Is there a way to implement this that would allow for wildcards in the redirect url? My application has information in the URLs that is used for tenancy for each customer and I won't be able to use exact redirect matching