wso2-extensions · AnuradhaSK · Aug 28, 2025 · Aug 28, 2025 · Copilot · Aug 28, 2025
diff --git a/...rg/wso2/carbon/identity/oauth2/authz/validators/AbstractResponseTypeRequestValidator.java b/...rg/wso2/carbon/identity/oauth2/authz/validators/AbstractResponseTypeRequestValidator.java
@@ -350,6 +350,15 @@ private boolean validateCallbackURI(String callbackURI, OAuthAppDO oauthApp) {
             registeredCallbackUrl =
                     registeredCallbackUrl.replaceFirst(OAuthConstants.LOOPBACK_IP_PORT_REGEX, StringUtils.EMPTY);
         }
-        return (regexp != null && callbackURI.matches(regexp)) || registeredCallbackUrl.equals(callbackURI);
+
+        if (regexp == null) {
+            return registeredCallbackUrl.equals(callbackURI);
+        }
+        /*
+        Escape dots only when followed by a letter/digit (so .com, .org, etc. get escaped),
+        but don't touch .* or .+ or .{n} .
+         */
+        regexp = regexp.replaceAll("(?<!\\\\)\\.(?=[A-Za-z0-9])", "\\\\.");
-        Escape dots only when followed by a letter/digit (so .com, .org, etc. get escaped),
-        but don't touch .* or .+ or .{n} .
-         */
-        regexp = regexp.replaceAll("(?<!\\\\)\\.(?=[A-Za-z0-9])", "\\\\.");
+        Do not modify user-provided regex patterns at runtime.
+        Use the registered regex as provided.
+         */
+        // regexp = regexp.replaceAll("(?<!\\\\)\\.(?=[A-Za-z0-9])", "\\\\.");
-        Escape dots only when followed by a letter/digit (so .com, .org, etc. get escaped),
-        but don't touch .* or .+ or .{n} .
-         */
-        regexp = regexp.replaceAll("(?<!\\\\)\\.(?=[A-Za-z0-9])", "\\\\.");
+        Do not modify user-provided regex patterns at runtime.
+        Use the registered regex as provided.
+         */
+        // regexp = regexp.replaceAll("(?<!\\\\)\\.(?=[A-Za-z0-9])", "\\\\.");
+        return callbackURI.matches(regexp);
     }
 }