Non-URL redirection URIs fail validation (e.g., for native apps with custom schemes)

[bradjones1]

I have a native app which performs OAuth2 with, among other clients, a native app.

The redirection URI is something like native.app.reverse.dns://, which is a valid URI but is not a URL.

Spec references:
https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2
https://datatracker.ietf.org/doc/html/rfc3986#section-4.3

The culprit is parse_url(), which as the name implies is specific to URLs. Further FWIW the PHP docs say:

This function is not meant to validate the given URL, it only breaks it up into the parts listed below...

Which is more or less what we're doing here.

To be truly spec-compliant, we must allow and match against URIs, not just the subset which are URLs.

This being a League package, good thing there's https://github.com/thephpleague/uri, which advertises URI validation and manipulation. Let's use that.

Also this affects the Drupal implementation, since Drupal core assumes URIs are URLs, despite the various interfaces being called UriWhatever.

[bradjones1]

Potentially related #1039

[bradjones1]

Refs #1188 (comment), though that and its related PR still use parse_url() which I think is incorrect.

[Sephster]

Thanks @bradjones1 and thanks for the PR. I will take a look at this tomorrow

[victorbalssa]

Hello,
same problem here.
I have a native application with scheme:// as redirect_uri,
Thank you @bradjones1 💪🏻