Skip to main content


Showing posts from May, 2016

Holy redirect_uri Batman!

If you bought the book I have been writing with Justin Richer namely OAuth 2 in Action you might have noticed that we will never got tired to stress out how much important the redirect_uri is in the OAuth 2 universe. Failing to understand this (rather simple) concept might  lead to disasters. The redirect_uri is really central in the two most common OAuth flows ( authorization code and implicit grant ). I have blogged about redirect_uri related vulnerability several times and both in OAuth client and OAuth server context.  Developing an OAuth client is notoriously easier to develop compare to the server counter part. Said that the OAuth client implementer should still take care and master some concepts.  If I would be limited to give a single warning for OAuth client implementer this would be  If you are building an OAuth client,   Thou shall register a redirect_uri as much as specific as you can or simply less formally " The registered redirect_uri must be