(u *url.URL)
| 94 | } |
| 95 | |
| 96 | func validateScheme(u *url.URL) error { |
| 97 | if u.Scheme == "" { |
| 98 | return xerrors.New("redirect URI must have a scheme") |
| 99 | } |
| 100 | |
| 101 | // Handle special URNs (RFC 6749 section 3.1.2.1). |
| 102 | if u.Scheme == "urn" { |
| 103 | if u.String() == "urn:ietf:wg:oauth:2.0:oob" { |
| 104 | return nil |
| 105 | } |
| 106 | return xerrors.New("redirect URI uses unsupported URN scheme") |
| 107 | } |
| 108 | |
| 109 | // Block dangerous schemes for security (not allowed by RFCs |
| 110 | // for OAuth2). |
| 111 | dangerousSchemes := []string{"javascript", "data", "file", "ftp"} |
| 112 | for _, dangerous := range dangerousSchemes { |
| 113 | if strings.EqualFold(u.Scheme, dangerous) { |
| 114 | return xerrors.Errorf("redirect URI uses dangerous scheme %s which is not allowed", dangerous) |
| 115 | } |
| 116 | } |
| 117 | |
| 118 | return nil |
| 119 | } |
| 120 | |
| 121 | // validateRedirectURIs validates redirect URIs according to RFC 7591, 8252 |
| 122 | func validateRedirectURIs(uris []string, tokenEndpointAuthMethod OAuth2TokenEndpointAuthMethod) error { |
no test coverage detected