OAuth 2.0 redirect URI validation

OAuth 2.0 servers must check the redirect_uri of received authorisation requests for being identical with a redirection URI registered for the client. Failure to validate the redirect_uri exactly opens the server to attacks, such as authorisation code exfiltration attacks.

Exact URI string matching is the most secure way to validate a redirect_uri and thus the recommendation of the OAuth working group.

OAuth 2.0 server implementers that choose to check the redirect_uri by some other method, for example by means of pattern matching in order to enable wildcards in a portion of the URI, run a significant risk. If the check is vulnerable an attacker might be able to craft an exploit to steal tokens. Always use strict URI string matching!

The OAuth 2.0 / OpenID Connect SDK includes a special RedirectURIValidator class used internally by the parse methods of AuthorizationRequests and ClientMetadata. It enforces extra security checks on the redirect_uri and will reject it if the URI is deemed suspicious and / or vulnerable.

As of version 10.14 a validation exception will be thrown when the following is detected:

  • The redirect URI includes a fragment (fragments are not allowed).

  • The redirect URI has a "data", "javascript" or "vbscript" schema that can be used in a attack described by Lauritz Holtmann in 2020.

  • The redirect URI includes a "code" or "state" query parameter that can be used in a attack described in the "OAuth 2.0 Redirect URI Validation Falls Short, Literally" talk by Tommaso Innocenti, Matteo Golinelli, Kaan Onarlioglu, Bruno Crispo, Engin Kirda at OAuth Security Workshop 2023. We added the "response" query parameter used in JARM to be above blacklist.