I dug quite a bit into this. It doesn't look like we've got a covert redirect vulnerability here. To be clear, there is a redirect (invitation) but it is limited to the specified resource on the server (not open redirection).
I don't quite see that as vulnerable.
I dug quite a bit into this. It doesn't look like we've got a covert redirect vulnerability here. To be clear, there is a redirect (invitation) but it is limited to the specified resource on the server (not open redirection).
I don't quite see that as vulnerable.
Furthermore, the added "invitation" query parameter does not invalidate matching of the redirect_uri, as query parameters are allowed per /tools. ietf.org/ html/rfc6749# section- 3.1.2
https:/
However, I do agree that we should switch to use the state parameter instead, if only to follow recommendations /www.oauth. com/oauth2- servers/ redirect- uris/redirect- uri-registratio n/#per- request
https:/