By: Nathan Hokanson user 27 Apr 2016 at 3:28 p.m. CDT

1 Response

I have a client that has two redirect uris defined: http://localhost:5555/dist/dev/#/auth_callback http://jaymac.local:8080 When both are defined, the first stops working and I get the error listed in the Title of this ticket. I don't see any errors in the log files. If only one is defined it seems to work ok. Also (and I need to open a separate ticket for this, let me know), when request URI is defined with a hash in it (as in the first example here), the response comes back in a non-hash format: http://localhost:5555/dist/dev/#/auth_callback&session_state=11ca644c-7ea4-4cf2-b4d6-a44a650186bd&scope=openid+clientinfo+CFScope&state&expires_in=299&token_type=bearer&id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjkzMWY5OGQ2LWE3MDQtNDU5Yy04ODQxLWRhZmU4NjM3ODI0ZiJ9.eyJpc3MiOiJodHRwczovL25hdGhhbi1kZXNrdG9wLmNsaWNrZm94Lm5ldCIsImF1ZCI6IkAhNEQzNi5DRDVGLkU0NzUuQTVENCEwMDAxITA2QzMuMUY2NSEwMDA4ITc3MjIuMzVBOSIsImV4cCI6MTQ2MTc5MjM2MCwiaWF0IjoxNDYxNzg4NzYwLCJub25jZSI6IjEyMzQ1IiwiYXV0aF90aW1lIjoxNDYxNzg4MzIyLCJhdF9oYXNoIjoiNmZxdWk4dEN3QVhoSzdQZkVCc1lEUSIsIm94VmFsaWRhdGlvblVSSSI6Imh0dHBzOi8vbmF0aGFuLWRlc2t0b3AuY2xpY2tmb3gubmV0L294YXV0aC9vcGlmcmFtZSIsIm94T3BlbklEQ29ubmVjdFZlcnNpb24iOiJvcGVuaWRjb25uZWN0LTEuMCIsImludW0iOiJAITREMzYuQ0Q1Ri5FNDc1LkE1RDQhMDAwMSEwNkMzLjFGNjUhMDAwMCFBOEYyLkRFMUUuRDdGQiIsIm5hbWUiOiJEZWZhdWx0IEFkbWluIFVzZXIiLCJ1c2VyX25hbWUiOiJhZG1pbiIsInN1YiI6IjkyYWU1YmZkLTgxZGQtNGE2Mi04NzUzLTJiOGMxZTk0OTFhZSJ9.LBHuCoJ7-j-SIBM0glIAbzCdUax2DmZECpZocyC-G7qh3dM5BJIswgkU4x3bHNBaLvVsY--pM-LqOiD9Oei8pd6rIhZCPkUC08wMwezZsEwPAm-Hf4RcBVx5unfrfd8QSNENGLBy8gNX499N-0m8k5tEAThHAdL0Er8i7xn5ZtsaAAJcYI1LM2_E7YwzlqPEvureQ2Nzk25CEcph-pBDqi_6vLRqCtp9anAUhSK_7Ajq4G-mlowPG4HOXJ-let6aNg0YN96kIGn4lzB0aGUUdLAb072w1ZO2T82UOQGaBHSrZ6-swGPcUzpymW1EddpogTr9WI3oMAcmLqBaciXo9w&access_token=cf9f2cea-5c78-4eac-9454-bf7458b2b097 As you can see there is no ? in the url. Angular2 is having a hard time parsing that URL. Thanks, Nathan

None

closed

By Yuriy Zabrovarnyy staff 27 Apr 2016 at 4:54 p.m. CDT

Copy

Hi Nathan, It seems you have application_type='web' client, for web client only https schema is allowed otherwise it must be rejected. http://openid.net/specs/openid-connect-registration-1_0.html#RegistrationRequest application_type OPTIONAL. Kind of the application. The default, if omitted, is web. The defined values are native or web. Web Clients using the OAuth Implicit Grant Type MUST only register URLs using the https scheme as redirect_uris; they MUST NOT use localhost as the hostname. Native Clients MUST only register redirect_uris using custom URI schemes or URLs using the http: scheme with localhost as the hostname. Authorization Servers MAY place additional constraints on Native Clients. Authorization Servers MAY reject Redirection URI values using the http scheme, other than the localhost case for Native Clients. The Authorization Server MUST verify that all the registered redirect_uris conform to these constraints. This prevents sharing a Client ID across different types of Clients. http://openid.net/specs/openid-connect-core-1_0.html About fragment handling. It is specified in section "3.2.2.7. Redirect URI Fragment Handling". According to URI specification there can be only one fragment: https://tools.ietf.org/html/rfc3986#page-24 Thanks, Yuriy

You need to Login in order to post an answer

When client has more than one redirect uri, getting invalid_request_redirect_uri error.

By: Nathan Hokanson user 27 Apr 2016 at 3:28 p.m. CDT

Answers

By Yuriy Zabrovarnyy staff 27 Apr 2016 at 4:54 p.m. CDT

Post an answer