Messages - Does OIDC invalid_redirect_uri error override default OAuth 2.0 behaviour?

Issue #684 resolved
Vladimir Dzhuvinov
created an issue

Hi guys,

OAuth 2.0 states that if the authorisation request has a "missing, invalid, or mismatching redirection URI" an error message should be presented to the end-user and redirection should not occur.

I suppose "mismatching" is to mean an URI that has not been registered with the OP?

OIDC seems to override the OAuth 2.0 behaviour on "mismatching" redirect URI and requires instead an error code to be returned to the client:

invalid_redirect_uri The redirect_uri in the Authorization Request does not match any of the Client's pre-registered redirect_uris.

Am I interpreting the spec correctly?

If yes, the current "invalid" qualifier in "invalid_redirect_uri" sounds a bit ambiguous as it may also mean that the URI doesn't parse correctly. Perhaps "redirect_uri_not_registered" would be a better match for this error condition.

Comments (2)

  1. Log in to comment