obtain token

By: Sakit Atakishiyev user 06 Jun 2018 at 7:33 a.m. CDT

5 Responses
Sakit Atakishiyev gravatar
Hi everyone. On the API documentation wrote that when we call token endpoint `redirect_uri` parameter is not required but in `TokenParamsValidator.java` the developer check this parameter if `grant_type=authorization_code` ``` switch (gt) { case AUTHORIZATION_CODE: result = code != null && !code.isEmpty() && redirectUri != null && !redirectUri.isEmpty(); break; case RESOURCE_OWNER_PASSWORD_CREDENTIALS: result = true; break; case CLIENT_CREDENTIALS: result = true; break; case REFRESH_TOKEN: result = refreshToken != null && !refreshToken.isEmpty(); break; } ``` Is there any thing I misunderstood
Ubuntu 16.04
closed

Answers

By Aliaksandr Samuseu staff 06 Jun 2018 at 9:21 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Sakit. [The spec](http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint) reads: >A Client makes a Token Request by presenting its Authorization Grant (in the form of an Authorization Code) to the Token Endpoint using the grant_type value authorization_code, as described in Section 4.1.3 of OAuth 2.0 [RFC6749]. And the OAuth2.0 doc it references makes `redirect_uri` [a required parameter](https://tools.ietf.org/html/rfc6749#section-4.1.3) for token request during authz code flow.

By Sakit Atakishiyev user 06 Jun 2018 at 9:43 a.m. CDT

Copy
Sakit Atakishiyev gravatar
Hi, Aliaksandr. In this case [this section is not correct in doc](https://gluu.org/docs/ce/api-guide/openid-connect-api/#openid-connect-token-endpoint).

By William Lowe user 06 Jun 2018 at 12:16 p.m. CDT

Copy
William Lowe gravatar
> this section is not correct in doc. Please help us improve by forking and submitting a merge request.

By Sakit Atakishiyev user 06 Jun 2018 at 11:56 p.m. CDT

Copy
Sakit Atakishiyev gravatar
Hi William. Ok I will do it.

By Sakit Atakishiyev user 07 Jun 2018 at 12:11 a.m. CDT

Copy
Sakit Atakishiyev gravatar
Aliaksandr there is also bug on the code. According to the documentation the > Redirection URI to which the response will be sent. This URI MUST exactly match one of the redirection URI values for the client pre-registered at the OpenID Provider. But in code the developer just check `redirect_uri` is not null and empty in case of `grant_type=authorization_code`. For example if I pass `https://google.com` as `redirect_uri` but this uri was not `pre-registered` for my client. But endpoint does not check this.

Post an answer