Why google-oauth API requires redirect-url?

Question

I'm trying to set up an authorization flow with google-oauth2 API. The task is to authorize users with google accounts in my web-application which consists of frontend and backend parts.

The flow according to the documentation consists of 2 steps:
1) obtaining an auth code
2) exchanging an auth code for a token

In my flow, FE client obtains an auth code from google and submits it to BE, which then exchanges it for a token, so no redirect URL (or sometimes called callback URL) is used.

I do not understand why google API requires me to provide redirect_uri for the second step? Since this step is performed by a server, not a browser, I don't see any sense in this piece of info. The server just calls the POST /oauth2/v4/token google endpoint and receives token in response.

see step 4 at https://developers.google.com/identity/protocols/OpenIDConnect

Answer 1

According to this, it's to guard against stealing the access_token. If a service doesn't check the initial redirect_uri, the authorization code is sent to the hacker's redirect_uri, which can then exchange it for an access_token, i.e. illegal access to the user's account. To actually get the access_token, the redirect_uri is specified again and this time must be checked by the server against the ones that are registered for that application. At that point, the hacker is foiled as the fake redirect_uri doesn't match any of the legal ones. Apparently some servers don't check the redirect_uri during the authorization stage and sending the redirect_uri again when requesting the access_token is meant to provide a final safey check.