${components.Snippet({ hit: item, attribute: "description", })}
`; }, noResults() { return "No results"; }, footer({ html }) { return html`
↵ to select ↑ ↓ to navigate esc to close
` } }, }, ]); }, }; const isMacLike = /(Mac|iPhone|iPod|iPad)/i.test(navigator.platform); const icon = isMacLike ? "⌘" : "ctrl"; const search = algoliaAutocomplete.autocomplete({ container: "#autocomplete", placeholder: "Search documentation", detachedMediaQuery: "", openOnFocus: true, plugins: [suggestionsPlugin], initialState: { query: new URL(window.location).searchParams.get("q"), }, }); const placeholder = document.querySelector('.aa-DetachedSearchButtonPlaceholder'); const el = document.createElement('span'); el.textContent = icon + '+ K'; el.className = "search-placeholder-shortcuts"; placeholder.appendChild(el); window.addEventListener('keydown', function (e) { if ((e.ctrlKey || e.metaKey) && e.which == 75){ search.setIsOpen(true) } }); });
2 mins read
Redirect URIs play a crucial role in OAuth security, as their primary purpose is to safeguard users against potential attacks in redirect-based flows.
Redirect URI Overview
The OAuth process greatly depends on redirect URLs. Once an application receives successfulauthorization from a user, the authorization server guides the user back to the respectiveapplication. Due to the confidential data embedded (authorization code ortoken) in the redirect URL, it’s crucial that the service does not route the user to random places.
The authorization server should strictly adhere to redirecting to pre-registered locations only.
Should a malefactor manage to alter the redirect URL before the user accesses the authorizationserver, they might mislead the server to send the user to a malicious site, subsequently passing theauthorization code to the attacker. If the authorization endpoint does not restrict the potentialURLs for redirection, it is deemed an “open redirector”, which can be exploited along with otherfactors to initiate attacks not necessarily associated with OAuth. This is a typical method by whichattackers aim to intercept an OAuth transaction and snatch access tokens.
Redirect URI Registration
A foolproof method to confirm that the user is only guided to suitable sites is by mandating thedeveloper to enlist one or more redirect URLs at the time of application creation.To register a redirect URI, you need to modify your client configuration within the authorizationserver settings.
It is important to note that redirect URIs must adhere to a specific URL format, suchas https://example.com/callback
, and with wildcards not permitted.
Native Clients
Different operating systems support various patterns for native clients. One approach involves theapplication subscribing to a specific domain, such as example.com
. Alternatively, the client canregister a custom URL schema like cemobile://callback
.
Why Wildcards Are Not Allowed
The absence of wildcard support is intended to protect users from nested open redirectvulnerabilities. Allowing wildcards could enable attackers to redirect users to different pagesunder the supported wildcard, creating a vulnerability to open redirects. For example, an attackercould exploit a redirect like https://example.com/callback?redirect=https://example-evil.com
.
Redirect URIs in Authorization Code Flow
During the authorization flow, the client is required to provide a valid preconfigured redirect URI.Additionally, the client has the option to specify a redirect URI when making the call to the tokenendpoint.
Updated: Sep 8, 2023