Redirect URI Overview
The OAuth process greatly depends on redirect URLs. Once an application receives successful authorization from a user, the authorization server guides the user back to the respective application. Due to the confidential data embedded (authorization code or token) in the redirect URL, it’s crucial that the service does not route the user to random places.
The authorization server should strictly adhere to redirecting to pre-registered locations only.
Should a malefactor manage to alter the redirect URL before the user accesses the authorization server, they might mislead the server to send the user to a malicious site, subsequently passing the authorization code to the attacker. If the authorization endpoint does not restrict the potential URLs for redirection, it is deemed an “open redirector”, which can be exploited along with other factors to initiate attacks not necessarily associated with OAuth. This is a typical method by which attackers aim to intercept an OAuth transaction and snatch access tokens.
Redirect URI Registration
A foolproof method to confirm that the user is only guided to suitable sites is by mandating the developer to enlist one or more redirect URLs at the time of application creation. To register a redirect URI, you need to modify your client configuration within the authorization server settings.
It is important to note that redirect URIs must adhere to a specific URL format, such
https://example.com/callback, and with wildcards not permitted.
Get Free OAuth Authorization Server
Cloudentity comes with multi-tenant authorization server as a service.
Different operating systems support various patterns for native clients. One approach involves the
application subscribing to a specific domain, such as
example.com. Alternatively, the client can
register a custom URL schema like
Why Wildcards Are Not Allowed
The absence of wildcard support is intended to protect users from nested open redirect
vulnerabilities. Allowing wildcards could enable attackers to redirect users to different pages
under the supported wildcard, creating a vulnerability to open redirects. For example, an attacker
could exploit a redirect like
Redirect URIs in Authorization Code Flow
During the authorization flow, the client is required to provide a valid preconfigured redirect URI. Additionally, the client has the option to specify a redirect URI when making the call to the token endpoint.