Skip to main content

Posts

Showing posts from May, 2016

Holy redirect_uri Batman!

If you bought the book I have been writing with Justin Richer namely OAuth 2 in Actionyou might have noticed that we will never got tired to stress out how much important the redirect_uri is in the OAuth 2 universe. Failing to understand this (rather simple) concept might  lead to disasters. The redirect_uri is really central in the two most common OAuth flows (authorization code and implicit grant). I have blogged about redirect_uri related vulnerability severaltimes and both in OAuth client and OAuth server context.  Developing an OAuth client is notoriously easier to develop compare to the server counter part. Said that the OAuth client implementer should still take care and master some concepts.  If I would be limited to give a single warning for OAuth client implementer this would be 
If you are building an OAuth client,   Thou shall register a redirect_uri as much as specific as you can
or simply less formally "The registered redirect_uri must be as specific as it can be&quo…