when oauth2 authoration code grant flow, redirect_uri parameter is really optional?

1
votes

In RFC6749#setion-4.1.1 introduces redirect_uri is optional.

But above Authorization Code Flow step (A), (C), (D) and also (E) describes what redirect_uri does.
And especially step (E) describes like following..

and ensures that the redirection URI received matches the URI used to redirect the client in step (C).

So I confused when I saw section 4.1.1.
I think maybe this document not wrong, just stupid I did not understand.

Please tell me why redirect_uri parameter is optional. Thanks in advance.

2
oauth-2.0
You will find some rules in the RFC6749 section 3.1.2.3. From my POV it should always be set to avoid security issues (e.g. a malicious app changed the client configuration and setup its own redirect uri). By the way, this parameter is required when used for some authentication flows with OpenID Connect (see OIDC Core specification section 3.2.2.1)Spomky-Labs
Thank you @FlorentMorselli. I did not look the document carefully. And I forgot about the redirect_uri when registering.galcyurio

2 Answers

2
votes

In rfc6749#section-2, describes:

When registering a client, the client developer SHALL:
o provide its client redirection URIs as described in Section 3.1.2.

in rfc, SHALL means MUST, REQUIRED.
(Key words for use in RFCs to Indicate Requirement Levels)

And let's see rfc6749#section-3.1.2.3 which mentioned by @Florent Morselli.

If multiple redirection URIs have been registered,
if only part of the redirection URI has been registered,
or if no redirection URI has been registered,
the client MUST include a redirection URI with the authorization request using the "redirect_uri" request parameter.

Conclusion

If we provided only one complete redirection uri when registering client, redirect_uri is optional when authorization request.

warning

If the "redirect_uri" parameter was included in the authorization request, you MUST include it in access token request. details here.

1
votes

The answer to your question is in step (C) (of the same RFC6749#section-4.1):

the authorization server redirects the user-agent back to the client using the redirection URI provided earlier (in the request or during client registration).

So if there is no redirect_uri in Authorization Request then authorization server use the default url which have been set during client registration (as described in rfc6749#section-2 which @galcyurio mentioned in his answer).

Also in #section-3.1.2:

3.1.2. Redirection Endpoint

After completing its interaction with the resource owner, the authorization server directs the resource owner's user-agent back to the client. The authorization server redirects the user-agent to the client's redirection endpoint previously established with the authorization server during the client registration process or when making the authorization request.