Invalid authorization redirect URI appears to redirect to the invalid redirect URI

[night]

When a user tries to authorize an authorization request containing an invalid redirect URI, the server will redirect said user to the invalid redirect URI.

The code at

authlib/authlib/oauth2/rfc6749/grants/base.py

Line 116 in 5564d2d

def validate_authorization_redirect_uri(self, client):

is validating the redirect URI for the grant, and the code at

authlib/authlib/oauth2/rfc6749/authorization_server.py

Line 169 in 5564d2d

if grant.redirect_uri:

is redirecting to the grant's redirect_uri despite it being invalid.

The server should probably be handling this by returning the standard error response, not a redirect.

If the resource owner denies the access request or if the request
fails for reasons other than a missing or invalid redirection URI,
the authorization server informs the client by adding the following
parameters to the query component of the redirection URI using the
"application/x-www-form-urlencoded" format, per Appendix B:

see https://tools.ietf.org/html/rfc6749#section-4.1.2.1 for more details