doorkeeper-gem · nbulaj · Jan 26, 2018 · Apr 6, 2017
diff --git a/NEWS.md b/NEWS.md
@@ -5,6 +5,7 @@ User-visible changes worth mentioning.
 ## master
 
 - [#970] Escape certain attributes in authorization forms.
+- [#974] Redirect URI is checked without query params within AuthorizationCodeRequest.
 
 ## 4.2.5
 

diff --git a/lib/doorkeeper/oauth/authorization_code_request.rb b/lib/doorkeeper/oauth/authorization_code_request.rb
@@ -44,7 +44,10 @@ def validate_grant
       end
 
       def validate_redirect_uri
-        grant.redirect_uri == redirect_uri
+        Helpers::URIChecker.valid_for_authorization?(
+          redirect_uri,
+          grant.redirect_uri
+        )
       end
     end
   end

diff --git a/spec/lib/oauth/authorization_code_request_spec.rb b/spec/lib/oauth/authorization_code_request_spec.rb
@@ -10,9 +10,11 @@ module Doorkeeper::OAuth
     end
     let(:grant)  { FactoryGirl.create :access_grant }
     let(:client) { grant.application }
+    let(:redirect_uri) { client.redirect_uri }
+    let(:params) { { redirect_uri: redirect_uri } }
 
     subject do
-      AuthorizationCodeRequest.new server, grant, client, redirect_uri: client.redirect_uri
+      AuthorizationCodeRequest.new server, grant, client, params
     end
 
     it 'issues a new token for the client' do
@@ -76,5 +78,14 @@ module Doorkeeper::OAuth
         subject.authorize
       end.to_not change { Doorkeeper::AccessToken.count }
     end
+
+    context "when redirect_uri contains some query params" do
+      let(:redirect_uri) { client.redirect_uri + "?query=q" }
+
+      it "compares only host part with grant's redirect_uri" do
+        subject.validate
+        expect(subject.error).to eq(nil)
+      end
+    end
   end
 end