I had a brief look at this (wouldn't consider it to be an exhaustive look, just looked for references to GetRedirectURIs() and from there found the most likely sources). It appears what's occurring is if the clients have a single redirect URI and the redirect URI provided to the authorization endpoint has an empty or non-existent redirect URI the single configured redirect URI (in the client) is used.

See (also note the duplicate comment haha):

Also See (note the check of if redirect URI is nil):

Maybe making the following changes would be viable:

• Add a func to the Client interface to facilitate per-client customization which is either:
  1. A function with the signature MatchRedirectURI(rawurl string) (*url.URL, err error)
  2. A function with the signature GetRedirectURIMatcher() func(rawurl string, client Client) (*url.URL, err error)
• Add func to the Client interface with the signature MatchRedirectURIWithClientRedirectURIs(rawurl string) (*url.URL, err error) - Rename fosite.MatchRedirectURIWithClientRedirectURIs to fosite.MatchOAuth2RedirectURIWithClientRedirectURIs
• Add a new fosite.MatchRedirectURIWithClientRedirectURIs which is effectively a clone of the original function but excludes the first conditional
• Adjust fosite.MatchOAuth2RedirectURIWithClientRedirectURIs to have the first conditional only, then call fosite.MatchRedirectURIWithClientRedirectURIs
• If option 2 is used, we would check the result of client.GetRedirectURIMatcher(), if not nil then we'd immediately return the result of that func. If it is nil then we'd return the default behavior.

Just found the only call to IsRedirectURIValid() is in WriteAuthorizeError. Seems strange?

Ahhh I see why. Here's where it's actually used in NewAuthorizeRequest:

Wouldn't it be simpler to handle this by just modifying validateAuthorizeScope in authorize_request_handler.go?

Drop this at the bottom of that function after request.SetRequestedScopes(scope).

if request.GetRequestedScopes().Has("openid") && r.Form.Get("redirect_uri") == "" {
    return errorsx.WithStack(fosite.ErrInvalidRequest.WithHint("Redirect URI information is required."))
}

This would satisfy the core spec that requires redirect_uri to be included in the request if scope=openid is used.

Considering it's not an OpenID Authorize Request without the openid scope this indeed is a brilliant idea. I question if we should instead reverse the order of validateAuthorizeScope and validateAuthorizeRedirectURI and check this within validateAuthorizeRedirectURI instead however. Similar to this:

func (f *Fosite) validateAuthorizeRedirectURI(_ *http.Request, request *AuthorizeRequest) error {
	// Fetch redirect URI from request
	rawRedirURI := request.Form.Get("redirect_uri")

	if rawRedirURI == "" && request.GetRequestedScopes().Has("openid") {
		return errorsx.WithStack(fosite.ErrInvalidRequest.WithHint("Redirect URI information is required."))
	}
	
	// Validate redirect uri
	redirectURI, err := MatchRedirectURIWithClientRedirectURIs(rawRedirURI, request.Client)
	if err != nil {
		return err
	} else if !IsValidRedirectURI(redirectURI) {
		return errorsx.WithStack(ErrInvalidRequest.WithHintf("The redirect URI '%s' contains an illegal character (for example #) or is otherwise invalid.", redirectURI))
	}
	request.RedirectURI = redirectURI
	return nil
}