[Openid-specs-ab] Can redirect_uri be omitted in OIDC code flows ?

John Bradley ve7jtb at ve7jtb.com
Thu Feb 4 17:59:51 UTC 2016


To be compliant with The spec you must include it in the request.

There was debate about that at the time.  It is not really a security issue if there is only one registered redirect URI.

I think the issue was that making it optional in the spec based on how some other part of the process registered the client was going to be more confusing to developers. 

Personally if I were doing a AS if the client only had one registered redirect_uri and didn’t send the parameter I would not throw an error based on that.

On the other hand if a client wants to work with multiple AS then it needs to always send it to be safe.

John B.

> On Feb 4, 2016, at 1:35 PM, Sergey Beryozkin <sberyozkin at gmail.com> wrote:
> 
> Hi All,
> 
> My colleague has noticed that in OIDC, when clients redirect the users to OIDC server, 'redirect_uri' is required.
> 
> I recall that one of the experts was saying that in pure OAuth2, if a client registration contains a single redirect_uri only then having the client to include it during the actual code redirection requests is optional.
> 
> Can the same be applied when the code flows are used in OIDC ?
> 
> Many thanks, Sergey
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab



More information about the Openid-specs-ab mailing list