Revert "Allow public clients (e.g. with PKCE) to have redirect URIs configured"

server/oauth2.go

@@ -588,15 +588,12 @@ func (s *Server) validateCrossClientTrust(clientID, peerID string) (trusted bool
 }
 
 func validateRedirectURI(client storage.Client, redirectURI string) bool {
-	// Allow named RedirectURIs for both public and non-public clients.
-	// This is required make PKCE-enabled web apps work, when configured as public clients.
-	for _, uri := range client.RedirectURIs {
-		if redirectURI == uri {
-			return true
-		}
-	}
-	// For non-public clients, only named RedirectURIs are allowed.
 	if !client.Public {
+		for _, uri := range client.RedirectURIs {
+			if redirectURI == uri {
+				return true
+			}
+		}
 		return false
 	}
 

server/oauth2_test.go

@@ -340,7 +340,6 @@ func TestValidRedirectURI(t *testing.T) {
 				RedirectURIs: []string{"http://foo.com/bar"},
 			},
 			redirectURI: "http://foo.com/bar/baz",
-			wantValid:   false,
 		},
 		{
 			client: storage.Client{
@@ -370,30 +369,6 @@ func TestValidRedirectURI(t *testing.T) {
 			redirectURI: "http://localhost",
 			wantValid:   true,
 		},
-		// Both Public + RedirectURIs configured: Could e.g. be a PKCE-enabled web app.
-		{
-			client: storage.Client{
-				Public: true,
-				RedirectURIs: []string{"http://foo.com/bar"},
-			},
-			redirectURI: "http://foo.com/bar",
-			wantValid:   true,
-		},
-		{
-			client: storage.Client{
-				Public: true,
-				RedirectURIs: []string{"http://foo.com/bar"},
-			},
-			redirectURI: "http://foo.com/bar/baz",
-			wantValid:   false,
-		},
-		{
-			client: storage.Client{
-				Public: true,
-			},
-			redirectURI: "http://foo.com/bar",
-			wantValid:   false,
-		},
 		{
 			client: storage.Client{
 				Public: true,