FriendsOfSymfony · ghost · Jun 24, 2016 · netmikey · Apr 19, 2017
diff --git a/lib/OAuth2.php b/lib/OAuth2.php
@@ -888,12 +888,8 @@ protected function grantAccessTokenAuthCode(IOAuth2Client $client, array $input)
             throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_GRANT, "Code doesn't exist or is invalid for the client");
         }
 
-        // Validate the redirect URI. If a redirect URI has been provided on input, it must be validated
-        if ($input["redirect_uri"] && !$this->validateRedirectUri(
-                $input["redirect_uri"],
-                $authCode->getRedirectUri()
-            )
-        ) {
+        // Validate the redirect URI. If a redirect URI has been provided on input, it must be identical
+        if ($input["redirect_uri"] && $input["redirect_uri"] === $authCode->getRedirectUri()) {
             throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_REDIRECT_URI_MISMATCH, "The redirect URI is missing or do not match");
         }
 
@@ -1501,7 +1497,7 @@ private function getJsonHeaders()
      * Internal method for validating redirect URI supplied
      *
      * @param string       $inputUri
-     * @param string|array $storedUris
+     * @param array $storedUris
      *
      * @return bool
      */
@@ -1525,10 +1521,6 @@ protected function validateRedirectUri($inputUri, $storedUris)
             }
         }
 
-        if (!is_array($storedUris)) {
-            $storedUris = array($storedUris);
-        }
-
         foreach ($storedUris as $storedUri) {
             if (strcasecmp(substr($inputUri, 0, strlen($storedUri)), $storedUri) === 0) {
                 return true;