From b476b434b84cfd9099030387b21f5a1bff578eb5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= <tim+github@zitadel.com>
Date: Mon, 15 Jan 2024 20:23:44 +0200
Subject: [PATCH] fix(op): check redirect URI in code exchange

This changes fixes a missing redirect check in the Legacy Server's Code Exchange handler.
---
 pkg/op/server_legacy.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkg/op/server_legacy.go b/pkg/op/server_legacy.go
index 114d431..089be6f 100644
--- a/pkg/op/server_legacy.go
+++ b/pkg/op/server_legacy.go
@@ -210,6 +210,9 @@ func (s *LegacyServer) CodeExchange(ctx context.Context, r *ClientRequest[oidc.A
 			return nil, err
 		}
 	}
+	if r.Data.RedirectURI != authReq.GetRedirectURI() {
+		return nil, oidc.ErrInvalidGrant().WithDescription("redirect_uri does not correspond")
+	}
 	resp, err := CreateTokenResponse(ctx, authReq, r.Client, s.provider, true, r.Data.Code, "")
 	if err != nil {
 		return nil, err