fix: ignore allowOmittingSingleRegisteredRedirectUri when FAPI 2.0 is used

panva · panva · commit e2de529bea57 · 2025-05-28T16:54:12.000+02:00
diff --git a/lib/actions/authorization/one_redirect_uri_clients.js b/lib/actions/authorization/one_redirect_uri_clients.js
@@ -5,7 +5,7 @@ import instance from '../../helpers/weak_cache.js';
  * to be the requested redirect_uri and used as if it was explicitly provided;
  */
 export default function oneRedirectUriClients(ctx, next) {
-  if (!instance(ctx.oidc.provider).configuration.allowOmittingSingleRegisteredRedirectUri) {
+  if (!instance(ctx.oidc.provider).configuration.allowOmittingSingleRegisteredRedirectUri || ctx.oidc.isFapi('2.0')) {
     return next();
   }
 
diff --git a/test/fapi/fapi2.test.js b/test/fapi/fapi2.test.js
@@ -100,6 +100,51 @@ describe('FAPI 2.0 Final behaviours', () => {
     });
   });
 
+  context('allowOmittingSingleRegisteredRedirectUri', () => {
+    before(function () {
+      this.orig = i(this.provider).configuration.allowOmittingSingleRegisteredRedirectUri;
+      i(this.provider).configuration.allowOmittingSingleRegisteredRedirectUri = true;
+    });
+    after(function () {
+      i(this.provider).configuration.allowOmittingSingleRegisteredRedirectUri = this.orig;
+    });
+    before(function () { return this.login(); });
+    after(function () { return this.logout(); });
+
+    it('is ignored when FAPI 2.0 is used', async function () {
+      const emitSpy = sinon.spy();
+      const renderSpy = sinon.spy(i(this.provider).configuration, 'renderError');
+      this.provider.once('authorization.error', emitSpy);
+
+      const auth = new this.AuthorizationRequest({
+        scope: 'openid',
+        client_id: 'client',
+        response_type: 'code',
+        code_challenge_method: undefined,
+        code_challenge: undefined,
+        redirect_uri: undefined,
+      });
+
+      return this.wrap({
+        agent: this.agent,
+        route: '/auth',
+        verb: 'get',
+        auth,
+      })
+        .expect(() => {
+          renderSpy.restore();
+        })
+        .expect(400)
+        .expect(() => {
+          expect(emitSpy.calledOnce).to.be.true;
+          expect(renderSpy.calledOnce).to.be.true;
+          const renderArgs = renderSpy.args[0];
+          expect(renderArgs[1]).to.have.property('error', 'invalid_request');
+          expect(renderArgs[1]).to.have.property('error_description', "missing required parameter 'redirect_uri'");
+        });
+    });
+  });
+
   describe('Request Object', () => {
     beforeEach(function () { return this.login(); });
     afterEach(function () { return this.logout(); });

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@ import instance from '../../helpers/weak_cache.js';`
`5`	`5`	`* to be the requested redirect_uri and used as if it was explicitly provided;`
`6`	`6`	`*/`
`7`	`7`	`export default function oneRedirectUriClients(ctx, next) {`
`8`		`- if (!instance(ctx.oidc.provider).configuration.allowOmittingSingleRegisteredRedirectUri) {`
	`8`	`+ if (!instance(ctx.oidc.provider).configuration.allowOmittingSingleRegisteredRedirectUri \|\| ctx.oidc.isFapi('2.0')) {`
`9`	`9`	`return next();`
`10`	`10`	`}`
`11`	`11`