From f9fff24ca5c4fee79e3d479a17c955f593877614 Mon Sep 17 00:00:00 2001
From: Dreddy <24421368+Dredsen@users.noreply.github.com>
Date: Wed, 13 May 2026 10:34:39 -0400
Subject: [PATCH] fix: oidc open redirect (#854)

---
 internal/service/oidc_service.go | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/internal/service/oidc_service.go b/internal/service/oidc_service.go
index 92216451..b263cc66 100644
--- a/internal/service/oidc_service.go
+++ b/internal/service/oidc_service.go
@@ -296,6 +296,11 @@ func (service *OIDCService) ValidateAuthorizeParams(req AuthorizeRequest) error
 	if !ok {
 		return errors.New("access_denied")
 	}
+	
+	// Redirect URI to verify that it's trusted
+	if !slices.Contains(client.TrustedRedirectURIs, req.RedirectURI) {
+		return errors.New("invalid_request_uri")
+	}
 
 	// Scopes
 	scopes := strings.Split(req.Scope, " ")
@@ -318,11 +323,6 @@ func (service *OIDCService) ValidateAuthorizeParams(req AuthorizeRequest) error
 		return errors.New("unsupported_response_type")
 	}
 
-	// Redirect URI
-	if !slices.Contains(client.TrustedRedirectURIs, req.RedirectURI) {
-		return errors.New("invalid_request_uri")
-	}
-
 	// PKCE code challenge method if set
 	if req.CodeChallenge != "" && req.CodeChallengeMethod != "" {
 		if req.CodeChallengeMethod != "S256" && req.CodeChallengeMethod != "plain" {