From 15ae992915b23b3845a4ecbe7b2d9e9ed095deda Mon Sep 17 00:00:00 2001
From: Justin Richer <justin@bspk.io>
Date: Fri, 6 Dec 2019 16:57:12 -0500
Subject: [PATCH] ensure the redirect URI isn't replaced by the AS in a dynamic
 client registration

---
 ...DynamicRegistrationClientConfigurationService.java | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/DynamicRegistrationClientConfigurationService.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/DynamicRegistrationClientConfigurationService.java
index 2c32fd8fd..1d1fdb90d 100644
--- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/DynamicRegistrationClientConfigurationService.java
+++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/DynamicRegistrationClientConfigurationService.java
@@ -207,6 +207,17 @@ public class DynamicRegistrationClientConfigurationService implements ClientConf
 
 					RegisteredClient client = ClientDetailsEntityJsonProcessor.parseRegistered(registered);
 
+					// make sure the redirect URI wasn't replaced by the AS
+					if (client.getRedirectUris() != null) {
+						if (!client.getRedirectUris().equals(template.getRedirectUris())) {
+							throw new InvalidClientException("Redirect URI did not match requested value");
+						}
+					} else {
+						if (template.getRedirectUris() != null) {
+							throw new InvalidClientException("Redirect URI did not match requested value");
+						}
+					}
+
 					// save this client for later
 					registeredClientService.save(serverConfig.getIssuer(), client);