OAuth Redirect URI
Redirect URIs play a crucial role in OAuth security, as their primary purpose is to safeguard users against potential attacks in redirect-based flows.
Redirect URI Overview
The OAuth process greatly depends on redirect URLs. Once an application receives successful authorization from a user, the authorization server guides the user back to the respective application. Due to the confidential data embedded (authorization code or token) in the redirect URL, it's crucial that the service does not route the user to random places.
The authorization server should strictly adhere to redirecting to pre-registered locations only.
Should a malefactor manage to alter the redirect URL before the user accesses the authorization server, they might mislead the server to send the user to a malicious site, subsequently passing the authorization code to the attacker. If the authorization endpoint does not restrict the potential URLs for redirection, it is deemed an "open redirector", which can be exploited along with other factors to initiate attacks not necessarily associated with OAuth. This is a typical method by which attackers aim to intercept an OAuth transaction and snatch access tokens.
Redirect URI Registration
A foolproof method to confirm that the user is only guided to suitable sites is by mandating the developer to enlist one or more redirect URLs at the time of application creation. To register a redirect URI, you need to modify your client configuration within the authorization server settings.
It is important to note that redirect URIs must adhere to a specific URL format, such as https://example.com/callback
, and with wildcards not permitted.
Native Clients
Different operating systems support various patterns for native clients. One approach involves the application subscribing to a specific domain, such as example.com
. Alternatively, the client can register a custom URL schema like cemobile://callback
.
Why Wildcards Are Not Allowed
The absence of wildcard support is intended to protect users from nested open redirect vulnerabilities. Allowing wildcards could enable attackers to redirect users to different pages under the supported wildcard, creating a vulnerability to open redirects. For example, an attacker could exploit a redirect like https://example.com/callback?redirect=https://example-evil.com
.
Redirect URIs in Authorization Code Flow
During the authorization flow, the client is required to provide a valid preconfigured redirect URI. Additionally, the client has the option to specify a redirect URI when making the call to the token endpoint.