OAuth Redirect URI

Redirect URIs ensure secure communication during the OAuth process. After a user authorizes an application, the authorization server redirects them back to the application. To keep the authorization code or token secure, the server must redirect only to pre-registered locations.

If attackers modify the redirect URI, they can trick the server into sending users to malicious sites. This tactic can allow attackers to intercept authorization codes or tokens. Authorization servers must avoid being "open redirectors," which lack restrictions on redirect destinations and can be exploited.

To ensure secure redirection, you must register one or more redirect URIs when setting up their application. Configure redirect URIs in the authorization server settings, using valid formats like https://example.com/callback. Wildcards are not allowed..

Native applications can use specific redirect patterns based on the operating system. Examples include subscribing to domains like example.com or using custom URL schemes such as cemobile://callback.

Blocking wildcards prevents nested open redirect vulnerabilities. Attackers could use wildcards to redirect users to malicious pages, such as exploiting https://example.com/callback?redirect=https://example-evil.com.

During the authorization process, clients must use valid preconfigured redirect URIs. Clients can also specify a redirect URI when calling the token endpoint.