Reputation: 28853
OAuth Redirect URL
In OAuth 2 when you add your client you give it a redirect url.
e.g.
http://example.com
But when you request authorization for a user, you also pass back a redirect url as part of the request.
e.g.
authorize?response_type=code&client_id=CLIENT_ID&return_url=http%3A%2F%2Fexample.com%2Fsecure%2F&state=STATE
My question is basically, what is the point in storing the redirect url against the client? Is this just for security to make sure you ONLY redirect to the original website and not whatever is passed as part of the request?
In any case what I have found is that the return url parameter sent as part of the request isn't honoured e.g. http://example.com/secure and the redirect url saved against the client is always used... and therefore you don't get redirected to your original request but just the home page.
What should happen? And why do we have the return url twice?
Should it not just be the domain stored against the client and then the return url passed back is used and then the domain compared for security?
Upvotes: 1
Views: 3966
Answers (1)
Reputation: 54088
This is indeed a security measure so that responses are only sent to URLs that have explicitly been associated with a client at registration/administration time.
The client may register multiple Redirect URIs and in that case it is useful to use the redirect_uri query parameter in the request to indicate to which one of the registred values the server needs to send the response. In case there's only one registered value, the redirect_uri query parameter may be omitted from the request.
This mechanism secures against phishing attacks where an attacker phishes the user in to clicking a link that contains a crafted redirect_uri parameter that points to a domain/server that the attacker controls.
The spec allows indeed for registration of a pattern that can be used to match against the redirect_uri value in the request, so e.g. a domain wide policy can be configured. This is an option that is implementation specific. Note that in that case you need to be sure that all possible URLs/paths on the domain are in fact controlled by the client owner and noone else (e.g. that excludes pages that load content from foreign domains, or potential dangerous wiki/forum pages). Since that is pretty hard in real life, the recommended/default matching is very strict.
Upvotes: 1
Related Questions
- Redirect URL for authorization code--design flaw in spec
- OAuth authorize call redirection
- OAuth: Redirecting a user after the redirect_uri
- Auth0 OAuth2.0 redirect 500
- oauth2 redirect uri. Passing data back to the client
- Oauth2 server redirect URI
- Google OAuth2 Redirect URL Issues
- 'redirect url' for an oAuth2.0 client
- OAuth2 redirect URI required to be fully defined
- Redirecting to authorization url in OAuth