OAuth 2.0 redirect URI validation
OAuth 2.0 servers must check the
redirect_uri of received authorisation
requests for being
identical with a
redirection URI registered for the client. Failure to
redirect_uri exactly opens the server to
such as authorisation code exfiltration attacks.
Exact URI string
is the most secure way to validate a
redirect_uri and thus the recommendation
of the OAuth working group.
OAuth 2.0 server implementers that choose to check the
redirect_uri by some
other method, for example by means of pattern matching in order to enable
wildcards in a portion of the URI, run a significant risk. If the check is
vulnerable an attacker might be able to craft an exploit to steal tokens.
Always use strict URI string matching!
The OAuth 2.0 / OpenID Connect SDK includes a special
class used internally by the parse methods of
It enforces extra security checks on the
redirect_uri and will reject it if
the URI is deemed suspicious and / or vulnerable.
As of version 10.14 a validation exception will be thrown when the following is detected:
The redirect URI includes a fragment (fragments are not allowed).
The redirect URI includes a "code" or "state" query parameter that can be used in a attack described in the "OAuth 2.0 Redirect URI Validation Falls Short, Literally" talk by Tommaso Innocenti, Matteo Golinelli, Kaan Onarlioglu, Bruno Crispo, Engin Kirda at OAuth Security Workshop 2023. We added the "response" query parameter used in JARM to be above blacklist.