21Eki
What is the purpose of OAuth 2.0 redirect_uri checking?
The OAuth 2.0 specification's authorization code mechanism includes redirect URI checking from the site you redirect to. See steps D and E in section 4.1 of the spec. Also, section 4.1.3 describes in detail that the redirected-to client needs to transmit redirect_uri
, and that it needs to match that of the initial authorization request.
I can't think of any attack vector that is mitigated by this being a part of the protocol. Why is this redirect_uri check necessary?