0Pricing
OAuth2 & OpenID Connect Deep Dive · Lesson

Securing Redirect URIs

Learn why redirect URI validation is the linchpin of OAuth2 security and how to prevent open redirector and code-interception attacks.

The redirect_uri Is Critical

After the user authorizes, the authorization server sends the code (or token) back to the client by redirecting the browser to the redirect_uri. If an attacker can influence that URI, they can steal the code.

Redirect URI validation is therefore one of the highest-impact security controls in OAuth2.

Exact Matching

The single most important rule: the authorization server must compare the supplied redirect_uri against pre-registered values using exact string matching, not pattern or prefix matching.

Registered: https://app.example.com/callback
Request:    https://app.example.com/callback   (OK)
Request:    https://app.example.com/callback/x (REJECT)

All lessons in this course

  1. Token Security (Access/Refresh)
  2. State Parameter & CSRF
  3. Grant Type Best Practices
  4. Securing Redirect URIs
← Back to OAuth2 & OpenID Connect Deep Dive