concept redirect_uri in category oauth

appears as: redirect_uri
OAuth 2 in Action

This is an excerpt from Manning's book OAuth 2 in Action.

This takes the form of an HTTP redirect to the client’s redirect_uri.

Note that the crafted URI contains a redirect_uri pointing to the attacker’s page, which is a subdirectory of the valid registered redirect URI for the client. The attacker was then able to change the flow to something like what is shown in figure 7.3.

Figure 7.3. Stolen authorization code

Since you registered https://yourouauthclient.com as redirect_uri and the OAuth provider adopts an allowing subdirectory validation strategy, https://yourouauthclient.com/usergeneratedcontent/attackerpage.html is a perfectly valid redirect_uri for your client.

It is extremely important to pay particular attention when choosing the registered redirect_uri when the new OAuth client is created at the authorization server, specifically the redirect_uri must be as specific as it can be. For example, if your OAuth client’s callback is

sitemap

Unable to load book!

The book could not be loaded.

(try again in a couple of minutes)

manning.com homepage
test yourself with a liveTest