Redirect URI validation is the process of ensuring an OAuth or OIDC authorization response is sent only to an approved and expected redirect destination. It matters because weak redirect handling can leak authorization codes or tokens to attacker-controlled destinations.
What is Redirect URI Validation?
When an authorization server completes a flow, it must confirm that the redirect target matches a registered and allowed destination for the client. Strict validation helps prevent open redirect abuse, token leakage, and unauthorized code capture in delegated access flows.
What Redirect URI Validation Commonly Supports
Common protections include exact redirect matching, pre-registered redirect URIs, scheme restrictions, and denial of wildcard or loosely parsed redirect destinations.
Redirect URI Validation vs. Loose Redirect Matching
Loose matching tolerates partial or broad redirect patterns that can be abused. Strong validation restricts responses to clearly approved destinations only.
Frequently Asked Questions
Why is redirect URI validation important?
Because redirect abuse can turn a normal OAuth flow into a credential or token theft opportunity.
Does PKCE replace redirect URI validation?
No. PKCE helps protect code exchange, but redirect destinations still need strict validation.
Related Cybersecurity Terms
