Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is "Authorized redirect URI" mandatory when setting up a new clientId under google developers console?

The authorized redirect URI is used by google to do a callback to pass the authorization token.

It is also used for validation by google. So when receiving the actual oauth request, google checks to see if the callback url given in the request is same as "Authorized redirect URI" and if not it throws error.

My requirement is to prevent google from doing this validation as I want to be able to pass different callback urls at run time . I tried giving the "authorized redirect URI" as empty, but that doesn't work. Any suggestions ?

like image 212
Zenil Avatar asked Aug 20 '14 08:08

Zenil


2 Answers

Yes, in Google OAuth 2.0, although you can set no uris in REDIRECT URIS, it doesn't make any sense. Redirect uri is required in client registration and oauth flows(authorization code flow and implicit flow). Lack of a redirection URI registration requirement can enable an attacker to use the authorization endpoint as an open redirector.

You mentioned that LinkedIn enabled open redirectURI. This is not acceptable in security. And I've noticed that LinkedIn has fixed this issue.

In order to make the LinkedIn platform even more secure, and so we can comply with the security specifications of OAuth 2, we are asking those of you who use OAuth 2 to register your application's redirect URLs with us by April 11, 2014.

Here is LinkedIn's announcement.

like image 54
Owen Cao Avatar answered Nov 12 '22 15:11

Owen Cao


No, Authorised redirect URI is NOT mandatory.

See, for example, https://developers.google.com/+/web/signin/javascript-flow

The quickstart example even shows how you might use different callback URLs

like image 28
Ian Avatar answered Nov 12 '22 16:11

Ian