I'm developing an oauth2 provider based on rfc6749 and I'm wondering, why is redirect_uri required on the Access Token Request? The /token endpoint is not redirecting and the state is assumed to be already validated (i.e. against CSRF) so a copy of the redirectURI doesn't make much sense to me.
问题:
回答1:
In auth code flow, it's used to validate the redirect_uri in the first auth request. https://www.oauth.com/oauth2-servers/redirect-uris/redirect-uri-validation/
Granting Access Tokens
The token endpoint will get a request to exchange an authorization code for an access token. This request will contain a redirect URL as well as the authorization code. As an added measure of security, the server should verify that the redirect URL in this request matches exactly the redirect URL that was included in the initial authorization request for this authorization code. If the redirect URL does not match, the server rejects the request with an error.
回答2:
The same question is debated here : https://security.stackexchange.com/questions/44214/what-is-the-purpose-of-oauth-2-0-redirect-uri-checking.
The best response imho is vinod one ie. to reduce the surface attack when using flexible redirect_uri (using wildcards)
回答3:
Redirect URI is needed in case of 1. Authorization code flow where Server redirects with code to the redirect URI, for example sample response to Authorization request is:
HTTP/1.1 302 Found
Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA
&state=xyz
Same is true for Error response for Authz code flow:
HTTP/1.1 302 Found
Location: https://client.example.com/cb?error=access_denied&state=xyz
Incase of implicit grant as well, Server returns the access token in hash "#" fragement to the redirect URI provided in the request