1

I've been reading the OAuth2 spec and section 3.1.2 states that the redirect uri parameter (the callback used after successful authentication to redirect back to the service) must be an absolute uri. I've struggled unsuccessfully to work out exactly why this is in the spec - is it critical for security? If so, is it protecting against untrusted usages (Facebook auth) or more audited flows where the same org runs both client and IdP?

Community
  • 1
J. Baker
  • 11
  • 1
  • 2
  • its probably just to make validating it easier while allowing fuller logs and avoiding ambiguity when you have a lot of redirects and server pass-offs. – dandavis Jan 30 '17 at 18:28

2 Answers2

2

This answer might help you: What is the purpose of OAuth 2.0 redirect_uri checking?

Another reason might be that providers can enforce the usage of https for the redirect uri...

Community
  • 1
nebulak
  • 390
  • 1
  • 9
1

The OAuth2 redirect uri is used as an actual HTTP redirect. In HTTP 1.0 and 1.1, HTTP redirect URL's were initially required to be absolute URL's, although almost all browsers supported relative redirects and it eventually became allowed by the updated standard for 1.1.

Despite this, there is still a good reason for OAuth2 redirects to be absolute. The OAuth2 protocol starts with the browser being redirected to the authorization server, which should be separate to the content server, and is often in a different organization. For example, if you want to sign in to https://www.example.com/login using Microsoft credentials, the site www.example.com will redirect you to login.microsoftonline.com.

You provide your credentials directly to Microsoft, and they then redirect your browser to the redirect uri, e.g. https://www.example.com/redirect. If you could provide a relative redirect uri (/redirect) then your browser would instead load https://login.microsoftonline.com/redirect.

Jonathan Giddy
  • 394
  • 1
  • 5