Ask Claude to make redirect_uri optional on token exchanges with PKCE.

The current OAuth 2.1 draft section 10.2 says:

> 10.2. Redirect URI Parameter in Token Request
>
> In OAuth 2.0, the request to the token endpoint in the authorization code flow (section 4.1.3 of [RFC6749]) contains an optional redirect_uri parameter. The parameter was intended to prevent an authorization code injection attack, and was required if the redirect_uri parameter was sent in the original authorization request. The authorization request only required the redirect_uri parameter if multiple redirect URIs were registered to the specific client. However, in practice, many authorization server implementations required the redirect_uri parameter in the authorization request even if only one was registered, leading the redirect_uri parameter to be required at the token endpoint as well.
>
> In OAuth 2.1, authorization code injection is prevented by the code_challenge and code_verifier parameters, making the inclusion of the redirect_uri parameter serve no purpose in the token request. As such, it has been removed.
>
> For backwards compatibility of an authorization server wishing to support both OAuth 2.0 and OAuth 2.1 clients, the authorization server MUST allow clients to send the redirect_uri parameter in the token request (Section 4.1.3), and MUST enforce the parameter as described in [RFC6749]. The authorization server can use the client_id in the request to determine whether to enforce this behavior for the specific client that it knows will be using the older OAuth 2.0 behavior.
>
> A client following only the OAuth 2.1 recommendations will not send the redirect_uri in the token request, and therefore will not be compatible with an authorization server that expects the parameter in the token request.

I first had a conversation with Claude about this requirement. Claude first insisted that redirect_uri was still required under OAuth 2.1. I quoted the section above, and Claude then agreed it is not required. Claude said we'd need to add a way to distinguish 2.0 client from 2.1. I proposed we just base it on whether they are using PKCE, since that seems to be the reason for the requirement change, and Claude agreed.

Author: kentonv

__tests__/oauth-provider.test.ts

@@ -646,6 +646,119 @@ describe('OAuthProvider', () => {
       expect(grant.refreshTokenId).toBeDefined(); // Refresh token should be added
     });
 
+    it('should reject token exchange without redirect_uri when not using PKCE', async () => {
+      // First get an auth code
+      const authRequest = createMockRequest(
+        `https://example.com/authorize?response_type=code&client_id=${clientId}` +
+        `&redirect_uri=${encodeURIComponent(redirectUri)}` +
+        `&scope=read%20write&state=xyz123`
+      );
+
+      const authResponse = await oauthProvider.fetch(authRequest, mockEnv, mockCtx);
+      const location = authResponse.headers.get('Location')!;
+      const url = new URL(location);
+      const code = url.searchParams.get('code')!;
+
+      // Now exchange the code without providing redirect_uri
+      const formData = new MockFormData();
+      formData.append('grant_type', 'authorization_code');
+      formData.append('code', code);
+      // redirect_uri intentionally omitted
+      formData.append('client_id', clientId);
+      formData.append('client_secret', clientSecret);
+
+      // Mock FormData in request
+      vi.spyOn(Request.prototype, 'formData').mockResolvedValue(formData as unknown as FormData);
+
+      const tokenRequest = createMockRequest(
+        'https://example.com/oauth/token',
+        'POST',
+        { 'Content-Type': 'application/x-www-form-urlencoded' },
+        formData as unknown as FormData
+      );
+
+      const tokenResponse = await oauthProvider.fetch(tokenRequest, mockEnv, mockCtx);
+
+      // Should fail because redirect_uri is required when not using PKCE
+      expect(tokenResponse.status).toBe(400);
+      const error = await tokenResponse.json();
+      expect(error.error).toBe('invalid_request');
+      expect(error.error_description).toBe('redirect_uri is required when not using PKCE');
+    });
+
+    // Helper function for PKCE tests
+    function generateRandomString(length: number): string {
+      const characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+      let result = '';
+      const values = new Uint8Array(length);
+      crypto.getRandomValues(values);
+      for (let i = 0; i < length; i++) {
+        result += characters.charAt(values[i] % characters.length);
+      }
+      return result;
+    }
+
+    // Helper function for PKCE tests
+    function base64UrlEncode(str: string): string {
+      return btoa(str)
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=/g, '');
+    }
+
+    it('should accept token exchange without redirect_uri when using PKCE', async () => {
+      // Generate PKCE code verifier and challenge
+      const codeVerifier = generateRandomString(43); // Recommended length
+      const encoder = new TextEncoder();
+      const data = encoder.encode(codeVerifier);
+      const hashBuffer = await crypto.subtle.digest('SHA-256', data);
+      const hashArray = Array.from(new Uint8Array(hashBuffer));
+      const codeChallenge = base64UrlEncode(String.fromCharCode(...hashArray));
+
+      // First get an auth code with PKCE
+      const authRequest = createMockRequest(
+        `https://example.com/authorize?response_type=code&client_id=${clientId}` +
+        `&redirect_uri=${encodeURIComponent(redirectUri)}` +
+        `&scope=read%20write&state=xyz123` +
+        `&code_challenge=${codeChallenge}&code_challenge_method=S256`
+      );
+
+      const authResponse = await oauthProvider.fetch(authRequest, mockEnv, mockCtx);
+      const location = authResponse.headers.get('Location')!;
+      const url = new URL(location);
+      const code = url.searchParams.get('code')!;
+
+      // Now exchange the code without providing redirect_uri
+      const formData = new MockFormData();
+      formData.append('grant_type', 'authorization_code');
+      formData.append('code', code);
+      // redirect_uri intentionally omitted
+      formData.append('client_id', clientId);
+      formData.append('client_secret', clientSecret);
+      formData.append('code_verifier', codeVerifier);
+
+      // Mock FormData in request
+      vi.spyOn(Request.prototype, 'formData').mockResolvedValue(formData as unknown as FormData);
+
+      const tokenRequest = createMockRequest(
+        'https://example.com/oauth/token',
+        'POST',
+        { 'Content-Type': 'application/x-www-form-urlencoded' },
+        formData as unknown as FormData
+      );
+
+      const tokenResponse = await oauthProvider.fetch(tokenRequest, mockEnv, mockCtx);
+
+      // Should succeed because redirect_uri is optional when using PKCE
+      expect(tokenResponse.status).toBe(200);
+
+      const tokens = await tokenResponse.json();
+      expect(tokens.access_token).toBeDefined();
+      expect(tokens.refresh_token).toBeDefined();
+      expect(tokens.token_type).toBe('bearer');
+      expect(tokens.expires_in).toBe(3600);
+    });
+
     it('should accept the access token for API requests', async () => {
       // Get an auth code
       const authRequest = createMockRequest(

oauth-provider.ts

@@ -1036,22 +1036,6 @@ class OAuthProviderImpl {
       );
     }
 
-    // OAuth 2.1 requires redirect_uri parameter
-    if (!redirectUri) {
-      return createErrorResponse(
-        'invalid_request',
-        'redirect_uri is required'
-      );
-    }
-
-    // OAuth 2.1 requires exact match for redirect URIs
-    if (!clientInfo.redirectUris.includes(redirectUri)) {
-      return createErrorResponse(
-        'invalid_grant',
-        'Invalid redirect URI'
-      );
-    }
-
     // Parse the authorization code to extract user ID and grant ID
     const codeParts = code.split(':');
     if (codeParts.length !== 3) {
@@ -1099,8 +1083,27 @@ class OAuthProviderImpl {
       );
     }
 
+    // Check if PKCE is being used
+    const isPkceEnabled = !!grantData.codeChallenge;
+
+    // OAuth 2.1 requires redirect_uri parameter unless PKCE is used
+    if (!redirectUri && !isPkceEnabled) {
+      return createErrorResponse(
+        'invalid_request',
+        'redirect_uri is required when not using PKCE'
+      );
+    }
+
+    // Verify redirect URI if provided
+    if (redirectUri && !clientInfo.redirectUris.includes(redirectUri)) {
+      return createErrorResponse(
+        'invalid_grant',
+        'Invalid redirect URI'
+      );
+    }
+
     // Verify PKCE code_verifier if code_challenge was provided during authorization
-    if (grantData.codeChallenge) {
+    if (isPkceEnabled) {
       if (!codeVerifier) {
         return createErrorResponse(
           'invalid_request',