Should redirect uri check ignore query params?

[patrick91]

I was trying to setup buffer today, and their redirect uri looks something like this: https://account.buffer.com/channels/connect?connectingMastodon=true&server=serverName&followBuffer=false

Which seems to break the check in here:

takahe/api/views/oauth.py

Lines 91 to 97 in 1ceef59

	if application.redirect_uris and redirect_uri not in application.redirect_uris:
	return render(
	request,
	"api/oauth_error.html",
	{"error": "Invalid application redirect URI"},
	status=401,
	)

Putting the full URL worked in the application object worked, so I was wondering if we should ignore query params 😊

[andrewgodwin]

That's strictly against the OAuth spec:

redirect_uri
         REQUIRED, if the "redirect_uri" parameter was included in the
         authorization request as described in [Section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1), and their
         values MUST be identical.

If it's just Buffer, I'm not entirely inclined to fix it unless other stuff starts doing it too?