Redirect_URI allowlist

[dshanske]

Currently, the plugin only supports redirect_uris on the same domain as the client_id. The spec calls for having the client_id have a allowlist of acceptable redirect_uris that can be polled. This is not yet supported.

@aaronpk alternatively alllows this to be overridden by issuing a warning in the authorization screen, as opposed to what the plugin does, which is reject it.

https://indieauth.spec.indieweb.org/#redirect-url

[aaronpk]

Here's what my auth endpoint shows when there is a mismatch.

If the redirect_uri and client_id have the same domain then that notice is not shown.

[aaronpk]

In case people are searching for the error message they see, the wordpress plugin currently shows this when encountering this error:

{"error":"invalid_grant","error_description":"Redirect not on same host as client"}

[miklb]

I'm currently experiencing this issue with Indigenous.

[dshanske]

This was changed in version 2.0.2

[dshanske]

The issue is still open as it warns, but doesn't check for a allowlist