We have an implicit grant javascript client that can obtain an access token.

It doesn't know how to use it yet though.

1 files changed, 13 insertions, 1 deletions

diff --git a/samples/OAuthAuthorizationServer/Code/Client.cs b/samples/OAuthAuthorizationServer/Code/Client.cs
index 62bc193..b32bb15 100644
--- a/samples/OAuthAuthorizationServer/Code/Client.cs
+++ b/samples/OAuthAuthorizationServer/Code/Client.cs
@@ -37,7 +37,19 @@
 		///   <c>true</c> if the callback URL is allowable for this client; otherwise, <c>false</c>.
 		/// </returns>
 		bool IConsumerDescription.IsCallbackAllowed(Uri callback) {
-			return string.IsNullOrEmpty(this.Callback) || callback == new Uri(this.Callback);
+			if (string.IsNullOrEmpty(this.Callback)) {
+				// No callback rules have been set up for this client.
+				return true;
+			}
+
+			// In this sample, it's enough of a callback URL match if the scheme and host match.
+			// In a production app, it is advisable to require a match on the path as well.
+			Uri acceptableCallbackPattern = new Uri(this.Callback);
+			if (String.Equals(acceptableCallbackPattern.GetLeftPart(UriPartial.Authority), callback.GetLeftPart(UriPartial.Authority), StringComparison.Ordinal)) {
+				return true;
+			}
+
+			return false;
 		}
 
 		#endregion