doorkeeper-gem · nbulaj · Mar 14, 2024
diff --git a/lib/doorkeeper/oauth/authorization_code_request.rb b/lib/doorkeeper/oauth/authorization_code_request.rb
@@ -59,7 +59,7 @@ def validate_params
         @missing_param =
           if grant&.uses_pkce? && code_verifier.blank?
             :code_verifier
-          elsif redirect_uri.blank?
+          elsif redirect_uri.blank? && !allow_blank_redirect_uri?
             :redirect_uri
           end
 
@@ -77,6 +77,14 @@ def validate_grant
       end
 
       def validate_redirect_uri
+        # 4.1.3.  Access Token Request
+        #   redirect_uri
+        #       REQUIRED, if the "redirect_uri" parameter was included in the
+        #       authorization request as described in Section 4.1.1, and their
+        #       values MUST be identical.
+        #
+        return true if redirect_uri.nil? && allow_blank_redirect_uri?
+
         Helpers::URIChecker.valid_for_authorization?(
           redirect_uri,
           grant.redirect_uri,
@@ -109,6 +117,12 @@ def custom_token_attributes_with_data
           .slice(*Doorkeeper.config.custom_access_token_attributes)
           .symbolize_keys
       end
+
+      def allow_blank_redirect_uri?
+        return @client_requires_redirect_uri if defined?(@client_requires_redirect_uri)
+
+        @client_requires_redirect_uri = grant&.redirect_uri.blank?
+      end
     end
   end
 end
diff --git a/lib/doorkeeper/oauth/pre_authorization.rb b/lib/doorkeeper/oauth/pre_authorization.rb
@@ -98,7 +98,31 @@ def validate_resource_owner_authorize_for_client
       end
 
       def validate_redirect_uri
-        return false if redirect_uri.blank?
+        # 4.1.1.  Authorization Request
+        #
+        #    redirect_uri
+        #          OPTIONAL.  As described in Section 3.1.2.
+        #
+        #  @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
+        #
+        if redirect_uri.nil?
+          # 3.1.2.3.  Dynamic Configuration
+          #
+          #    If multiple redirection URIs have been registered, if only part of
+          #    the redirection URI has been registered, or if no redirection URI has
+          #    been registered, the client MUST include a redirection URI with the
+          #    authorization request using the "redirect_uri" request parameter.
+          #
+          # @see https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2.3
+          #
+          if client.redirect_uri.blank?
+            @missing_param = :redirect_uri
+            return false
+          else
+            @redirect_uri = client.redirect_uri
+            return true
+          end
+        end
 
         Helpers::URIChecker.valid_for_authorization?(
           redirect_uri,