Redirect URI Validation

This feature allows you to enforce the redirect_uri parameter sent by the client.

What is redirect_uri parameter?

When authorizing the client, the user is redirected to the OAuth/OpenID provider. Here, the user authenticated himself and then authorizes the client to perform actions on his behalf. When this is done, the user is then redirected back to the client using Redirect/Callback URI. This URL is where the client actually handles the OAuth response from the provider.

This response varies according to the Grant Type used. The client handles the response accordingly and the proceeds to perform actions on the user's behalf.

Why would someone turn off the validation?

Several times, the client needs to redirect the user to some other URL instead of the one registered. This is especially true for the stateless applications, where the URL can contain a dynamically generated component.

Plugin Configuration

  • Navigate to the Configurations tab.
  • Under the Redirect/Callback URI Validation section, you can find the toggle for this option.
    validate-redirect-uri
  • If the toggle is turned ON, the OAuth Server will validate the Redirect/Callback URI that is sent by the client. If the client does not send a URL registered with the server, it will show the following error:
    ERROR:
      {
          "error": "redirect_uri_mismatch",
          "error_description": "The redirect URI provided is missing or does not match",
          "error_uri": "http://tools.ietf.org/html/rfc6749#section-3.1.2"
      }