- Affected version
- 2.3.0 Beta 4
XF\ConnectedAccount\Service\XenForo.php
PHP:
public function getAuthorizationEndpoint(): Uri
{
$provider = $this->getProvider();
$endpoint = new Uri($provider->options['board_url']);
$endpoint->setPath('/oauth2/authorize');
return $endpoint;
}
public function getAccessTokenEndpoint(): Uri
{
$provider = $this->getProvider();
$endpoint = new Uri($provider->options['board_url']);
$endpoint->setPath('/api/oauth2/token');
return $endpoint;
}This generates URLs that point to domain root, not necessarily the path specified by
$provider->options['board_url']; in is this is a subdirectory the requests might/will fail.