OAuth2 Redirect URI

OAuth2 Redirect URI (callback URL) is the endpoint where the authorization server redirects users after authentication. It carries the authorization code or tokens back to the client application. Proper validation is critical for security.

How It Works

// 1. Client sends redirect_uri in authorization request
GET /authorize?
  client_id=app123&
  redirect_uri=https://app.com/callback&
  ...

// 2. After auth, server redirects to this URI with code
HTTP/1.1 302 Found
Location: https://app.com/callback?code=ABC123&state=XYZ

Common Vulnerabilities

Open Redirect

// Weak validation allows subdomain/path manipulation
redirect_uri=https://evil.app.com/callback
redirect_uri=https://app.com/callback/../../../evil.com
redirect_uri=https://app.com/callback?next=https://evil.com

Subdomain Takeover

// If old.app.com is unclaimed:
redirect_uri=https://old.app.com/callback
// Attacker registers old.app.com and receives tokens

Path Confusion

// XSS or open redirect on allowed path leaks tokens
redirect_uri=https://app.com/callback#
// Token ends up in fragment, JS can access it

Secure Validation

• Exact string matching (not prefix or regex)
• Pre-register allowed redirect URIs
• No wildcards in production
• Reject URIs with unusual characters
• Check for path traversal attempts

PentesterLab Exercises

• OAuth Exercises

See Also

• OAuth2
• OAuth2 State Fixation