10

The authorized redirect URI is used by google to do a callback to pass the authorization token.

It is also used for validation by google. So when receiving the actual oauth request, google checks to see if the callback url given in the request is same as "Authorized redirect URI" and if not it throws error.

My requirement is to prevent google from doing this validation as I want to be able to pass different callback urls at run time . I tried giving the "authorized redirect URI" as empty, but that doesn't work. Any suggestions ?

Zenil
  • 1,491
  • 3
  • 12
  • 21
  • redirect URI must be the same as the one you have set up for your application in the cloud developers console. – Linda Lawton - DaImTo Aug 20 '14 at 09:41
  • Can I set “Authorized redirect URI” as empty during set up ? The LinkedIn api allows you to do something similar. When set as empty, then I can pass any callback url in the api and it works..Was wondering if there's something similar for google.. – Zenil Aug 21 '14 at 20:06
  • Can you not just route the callback yourself from the provided URI? – Paranoid Android Feb 28 '15 at 18:06

2 Answers2

3

Yes, in Google OAuth 2.0, although you can set no uris in REDIRECT URIS, it doesn't make any sense. Redirect uri is required in client registration and oauth flows(authorization code flow and implicit flow). Lack of a redirection URI registration requirement can enable an attacker to use the authorization endpoint as an open redirector.

You mentioned that LinkedIn enabled open redirectURI. This is not acceptable in security. And I've noticed that LinkedIn has fixed this issue.

In order to make the LinkedIn platform even more secure, and so we can comply with the security specifications of OAuth 2, we are asking those of you who use OAuth 2 to register your application's redirect URLs with us by April 11, 2014.

Here is LinkedIn's announcement.

Community
  • 1
  • 1
Owen Cao
  • 7,955
  • 2
  • 27
  • 35
1

No, Authorised redirect URI is NOT mandatory.

See, for example, https://developers.google.com/+/web/signin/javascript-flow

The quickstart example even shows how you might use different callback URLs

Ian
  • 679
  • 1
  • 8
  • 17