Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why is redirect_uri required on Access Token request?

Tags:

oauth-2.0

oauth2

rfc6749

I'm developing an oauth2 provider based on rfc6749 and I'm wondering, why is redirect_uri required on the Access Token Request? The /token endpoint is not redirecting and the state is assumed to be already validated (i.e. against CSRF) so a copy of the redirectURI doesn't make much sense to me.

like image 977
themihai Avatar asked Jun 06 '16 13:06

themihai

People also ask

What is authorization response?

The authorization response can be used to get the access token for accessing the owner resources in the system using the authorization code. The access token is given by the authorization server when it accepts the client ID, client password and authorization code sent by the client application.

Why is oauth2 required?

OAuth 2.0 is a secure, open data sharing standard that should be built into every app. This authentication and authorization standard protects user data by providing access to the data without revealing the user's identity or credentials.

What is oauth2 access token generation?

OAuth Access Tokens An OAuth Access Token is a string that the OAuth client uses to make requests to the resource server. Access tokens do not have to be in any particular format, and in practice, various OAuth servers have chosen many different formats for their access tokens.

What is the purpose of Redirect_uri?

A redirect URI, or reply URL, is the location where the authorization server sends the user once the app has been successfully authorized and granted an authorization code or access token.

1 Answers

In auth code flow, it's used to validate the redirect_uri in the first auth request. https://www.oauth.com/oauth2-servers/redirect-uris/redirect-uri-validation/

Granting Access Tokens

The token endpoint will get a request to exchange an authorization code for an access token. This request will contain a redirect URL as well as the authorization code. As an added measure of security, the server should verify that the redirect URL in this request matches exactly the redirect URL that was included in the initial authorization request for this authorization code. If the redirect URL does not match, the server rejects the request with an error.

like image 180
cyberguest Avatar answered Oct 11 '22 11:10

cyberguest
Sign in to Comment

Related questions

OAuth Client Credential Flow - Refresh Tokens
OAuth 2 bearer Authorization header
Google Endpoints API + Chrome Extension returns None for endpoints.get_current_user().user_id()
Microservices and Spring Security OAuth2
Is there any Node.js client library to make OAuth and OAuth2 API calls to Twitter, Facebook, Google, LinkedIn, etc.?
How do I enable ssl for all controllers in mvc application
Customizing Linkedin Login Button
Spring boot rest service options 401 on oauth/token
OmniAuth using google oauth 2 strategy scope failure
OAuth2.0 Server stack how to use state to prevent CSRF? for draft2.0 v20
Can't get the network credentials to work
How to configure FOSUserBundle to be the authentication provider for my FOSOAuthServerBundle enabled server
OAuth 2.0 integrated with REST WCF Service application
Google Drive Api - Custom IDataStore with Entity Framework
ASP.NET MVC 5 and WebApi 2 Authentication
validate OAuth 2.0 access token from a Spring RESTful resource server
How can I validate my custom Oauth2 access token in server-side
Browser intent and return to correct activity (close opened tab)
What does resourceId mean in OAuth 2.0 with Spring Security
Azure OpenID Connect via OWIN Middleware resulting in Infinite Redirect Loop

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!