5

The RFC for Oauth2 says the redirect_uri which was specified when generating the authorization code must be included in the request to exchanging the code for an access token.

From the RFC:

4.1.3. Access Token Request

The client makes a request to the token endpoint by sending the following parameters using the "application/x-www-form-urlencoded" format per Appendix B with a character encoding of UTF-8 in the HTTP request entity-body:

[...]

redirect_uri

REQUIRED, if the "redirect_uri" parameter was included in the authorization request as described in Section 4.1.1, and their values MUST be identical.

https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3

Why is the redirect_uri required when exchanging the code for an access token? What benefit does this provide?

Community
  • 1
  • 1
kubasub
  • 455
  • 1
  • 5
  • 12

1 Answers1

3

It is described in 10.6. Authorization Code Redirection URI Manipulation:

https://www.rfc-editor.org/rfc/rfc6749#section-10.6

10.6. Authorization Code Redirection URI Manipulation

When requesting authorization using the authorization code grant type, the client can specify a redirection URI via the "redirect_uri" parameter. If an attacker can manipulate the value of the redirection URI, it can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the authorization code.

An attacker can create an account at a legitimate client and initiate the authorization flow. When the attacker's user-agent is sent to the authorization server to grant access, the attacker grabs the authorization URI provided by the legitimate client and replaces the client's redirection URI with a URI under the control of the attacker. The attacker then tricks the victim into following the manipulated link to authorize access to the legitimate client.

Once at the authorization server, the victim is prompted with a normal, valid request on behalf of a legitimate and trusted client, and authorizes the request. The victim is then redirected to an endpoint under the control of the attacker with the authorization code. The attacker completes the authorization flow by sending the authorization code to the client using the original redirection URI provided by the client. The client exchanges the authorization code with an access token and links it to the attacker's client account, which can now gain access to the protected resources authorized by the victim (via the client).

In order to prevent such an attack, the authorization server MUST ensure that the redirection URI used to obtain the authorization code is identical to the redirection URI provided when exchanging the authorization code for an access token. The authorization server MUST require public clients and SHOULD require confidential clients to register their redirection URIs. If a redirection URI is provided in the request, the authorization server MUST validate it against the registered value.

andrija
  • 1,057
  • 11
  • 21
  • 3
    Assuming allowed redirect_uris are preset and matched exactly during authorization code grant, is this no longer a concern? Also, thank you for the link! – kubasub Feb 19 '19 at 20:07
  • Allowed redirect_uris are strong protection, but not everybody does it properly. Many people just use "*" because it is easier. Also, it is possible that hacker took control of one computer that is on the allowed list and trying to steal token requested from another one. – andrija Sep 05 '22 at 09:37