Why is redirect_uri required on Access Token request?

Question

I'm developing an oauth2 provider based on rfc6749 and I'm wondering, why is redirect_uri required on the Access Token Request? The /token endpoint is not redirecting and the state is assumed to be already validated (i.e. against CSRF) so a copy of the redirectURI doesn't make much sense to me.

Answer 1

The same question is debated here : https://security.stackexchange.com/questions/44214/what-is-the-purpose-of-oauth-2-0-redirect-uri-checking.

The best response imho is vinod one ie. to reduce the surface attack when using flexible redirect_uri (using wildcards)

Answer 2

In auth code flow, it's used to validate the redirect_uri in the first auth request. https://www.oauth.com/oauth2-servers/redirect-uris/redirect-uri-validation/

Granting Access Tokens

The token endpoint will get a request to exchange an authorization code for an access token. This request will contain a redirect URL as well as the authorization code. As an added measure of security, the server should verify that the redirect URL in this request matches exactly the redirect URL that was included in the initial authorization request for this authorization code. If the redirect URL does not match, the server rejects the request with an error.

Answer 3

Redirect URI is needed in case of 1. Authorization code flow where Server redirects with code to the redirect URI, for example sample response to Authorization request is:

HTTP/1.1 302 Found
Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA
           &state=xyz

Same is true for Error response for Authz code flow:

HTTP/1.1 302 Found
Location: https://client.example.com/cb?error=access_denied&state=xyz

Incase of implicit grant as well, Server returns the access token in hash "#" fragement to the redirect URI provided in the request