There are three options for registering redirect URIs with your client credentials.
- Register all redirect_uris fully
This is what is encouraged on the registration form and is what most third parties do. - Register just the host name
If the client app is registered with a redirect_uri that is just the host name, then any redirect_uri at that host can be used. So, for example if the following redirect_uri is registered: https://thirdparty.com
then all of the following redirect_uris will work
https://thirdparty.com/oauth/callback1
https://thirdparty.com/callback2
https://thirdparty.com:8080/callback
https://thirdparty.com/anything-else-as-long-as-the-host-is-the-same
If you decide that this approach might work for you - you can perhaps handle the URIs by registering all of the redirect URIs in one of your domains and then redirect again to the appropriate domain. - Register no redirect_uris at all
If the client app is configured with no redirect_uris, then any redirect_uri can be used. This is less secure than specifying redirect_uris. The redirect_uris give an extra level of security because they prevent somebody using someone else's stolen client credentials (because we would never redirect to their domain - they would also have to have control over the user's DNS to get round that!). For more on the potential risks here, you may enjoy this short post staring "Evil User": OAuth 2.0 Redirection URI Validation. Because of the potential risks, we only allow this option on the Sandbox API.
When registering for credentials, if you do not want any redirect URIs registered request "no redirect URIs" in the notes field.
Comments
0 comments
Article is closed for comments.