tinyauth/internal/controller/oidc_controller.go at f006ebe5e42bde04cba96c13f5b66a67d94ba3dd

mirror of https://github.com/steveiliop56/tinyauth.git synced 2025-12-31 04:22:28 +00:00

Files

Olivier Dumont f006ebe5e4 Fix open redirect vulnerability in authorize endpoint

Per OAuth 2.0 RFC 6749 §4.1.2.1, errors should NOT redirect to
unvalidated redirect_uri values. This fix:

- Returns JSON errors for failures before redirect_uri validation
  (missing parameters, invalid client)
- Only redirects to redirect_uri after it has been validated
  against registered client URIs
- Prevents open redirect attacks where malicious redirect_uri
  values could be used to redirect users to attacker-controlled sites

2025-12-30 12:40:01 +01:00

13 KiB

Raw Blame History

View Raw

13 KiB Raw Blame History

13 KiB

Raw Blame History