Menu
The authorized redirect URI is used by google to do a callback to pass the authorization token.
It is also used for validation by google. So when receiving the actual oauth request, google checks to see if the callback url given in the request is same as "Authorized redirect URI" and if not it throws error.
My requirement is to prevent google from doing this validation as I want to be able to pass different callback urls at run time . I tried giving the "authorized redirect URI" as empty, but that doesn't work. Any suggestions ?
212
Yes, in Google OAuth 2.0, although you can set no uris in REDIRECT URIS, it doesn't make any sense. Redirect uri is required in client registration and oauth flows(authorization code flow and implicit flow). Lack of a redirection URI registration requirement can enable an attacker to use the authorization endpoint as an open redirector.
You mentioned that LinkedIn enabled open redirectURI. This is not acceptable in security. And I've noticed that LinkedIn has fixed this issue.
In order to make the LinkedIn platform even more secure, and so we can comply with the security specifications of OAuth 2, we are asking those of you who use OAuth 2 to register your application's redirect URLs with us by April 11, 2014.
Here is LinkedIn's announcement.
54
No, Authorised redirect URI is NOT mandatory.
See, for example, https://developers.google.com/+/web/signin/javascript-flow
The quickstart example even shows how you might use different callback URLs
28
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
