For doorkeeper gem, why do we need to set redirect_url at both server dashboard and request param from client?

Question

I'm looking at some examples about doorkeeper gem. One thing I noticed is they set redirect url at 2 places. One is when they create a new oauth application at /oauth/applications, the other is when client makes a request to /oauth/authorize to get access code. I'm wondering why they need to set redirect url at 2 places?

Answer 1

It is not just doorkeeper's implementation. It is indeed defined by Oauth2 documentation. You can see that redirect_uri is defined as parameter of two endpoint at here:

• One is when they create a new oauth application at /oauth/applications - 4.1.1. Authorization Request
• the other is when client makes a request to /oauth/authorize to get access code - 4.1.3. Access Token Request

"Why they need to set redirect url at 2 places?" Because:

• client can register multiple redirect_uri on Authorization server. here: "provide its client redirection URIs as described in Section 3.1.2"
• After client send one of registered redirect_uri at Authorization Request (4.1.1) to AuthorizationServer, client will received authorization_code in response from AuthorizationServer to redirect_uri. So when you exchange that authorization_code for access_token at AccessToken Request (4.1.3), you need to send the same redirect_uri to make Authorization Server makes sure that requested authorization_code is binding with redirect_uri.