Reuse callback_url between request phase and callback phase #142
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As explained in #141, the
callback_url
being used in the callback phase is different than the one sent to the authorization server during the request phase (TLDR: During the callback phase,state
andcode
are included as query params within theredirect_uri
). This does not comply with the spec which is very clear that theredirect_uri
(akacallback_url
) in the code-token exchange request must match the one sent in the authorization request.According to the spec:
PS: It was a bit tricky to write the tests in a way to test this flow within the
callback_phase
method given the amount of mocking needed for the happy case (especially for parent class logic), so I opted for testing thebuild_access_token
method.