Authorization Code Redirection URI Check Too Strict

[Druotic]

AFAIK, there's nothing in the spec that indicates an intermediary redirect during the authorization code grant flow should be disallowed. Assuming I'm using the library correctly, I believe this library (basically) disallows it at this line - https://github.com/mulesoft/js-client-oauth2/blob/master/src/client-oauth2.js#L588

That line forces the original redirectUri pathname to match the pathname after the final redirect (the one that this library is loaded on). Well, technically it doesn't forbid an intermediary redirect, but it does require the first redirect to use the same pathname as the final. Is there any reason to not just remove that check? Per the oauth2 spec, the authorization server should be handling any security concerns around redirect URI domains. I'm not sure why the path would need to match - these seem independent to me.

Am I missing a reason to keep it?

edit: if no one has any concerns, I'm happy to make the change. It should be a very small change.

[Druotic]

The change was so small, I went ahead and put up a PR.

I only addressed the concern in the authorization code flow since that is the flow I am using. However, I'm happy to update the other flow(s) as appropriate - I didn't bother doing it yet since I haven't heard back on the original proposal yet. Let me know if this is something that you'd like to see in all flows.

[Druotic]

We're using this change internally (via a fork) and it has worked great for us so far. Let me know if there's anything you'd like to see changed - I'd be happy to address any feedback.