There are two main places where we compare URLs against each other to ensure they match in someway.
-
Dynamic Clients. We make sure that the client_uri ( which is what we display in the UI ) is the same host as the redirect_uris and other uris. This currently uses parse_url( PHP_URL_HOST ). Can this be spoofed?
-
Redirect URIs. We check that the requested redirect_uri is one of the whitelisted redirect_uris. Is this an accurate check?
There are two main places where we compare URLs against each other to ensure they match in someway.
Dynamic Clients. We make sure that the
client_uri( which is what we display in the UI ) is the same host as theredirect_urisand other uris. This currently usesparse_url( PHP_URL_HOST ). Can this be spoofed?Redirect URIs. We check that the requested redirect_uri is one of the whitelisted redirect_uris. Is this an accurate check?