Our testing has identified a somewhat obscure redirect vulnerability in `AuthorizeRestWebServiceImpl.java`. As you know, section [3.1.2.6](https://openid.net/specs/openid-connect-core-1_0.html#AuthError) of the spec says: *Unless the Redirection URI is invalid*, the Authorization Server returns the Client to the Redirection URI specified in the Authorization Request with the appropriate error and state parameters. We have discovered that it is possible to have oxAuth redirect the client to an arbitrary URL as follows: 1. Log in normally using a valid authentication request 2. Send a second authentication request in which the value of the `acr_values` parameter is something invalid/unsupported and the value of `redirect_uri` is not one registered to the client. In this case, the unsupported `acr` causes oxAuth to throw an AcrChangedException before the redirect_uri has been validated, and the [exception handler](https://github.com/GluuFederation/oxAuth/blob/210c9462b14146a97b34860e600945204098bbc1/Server/src/main/java/org/gluu/oxauth/authorize/ws/rs/AuthorizeRestWebServiceImpl.java#L669-L678) then redirects the browser to the unvalidated URL. We discovered this in 4.1, but I have also been able to reproduce it in 4.2.