Why is redirect_uri being checked by Google

[Peter Varga]

When I register an application, I can't specify a host name in redirect_uri other than 'localhost' or something accessible over the internet. In my case, I need to allow for host names that can only be resolved on my intranet. Why is Google checking the redirect_uri? Facebook doesn't. All you should care about is that it the registered redirect_uri is a prefix for the one provided in a login request.

[wirehopper]

I am using "urn:ietf:wg:oauth:2.0:oob" for a redirect URI for a web
application hosted on a server that is only accessible within an
intranet, and it works well.

http://code.google.com/apis/accounts/docs/OAuth2InstalledApp.html#choosingredirecturi

[Peter Varga]

That link refers to the "installed apps" flow

I'm using the "web server" flow: http://code.google.com/apis/accounts/docs/OAuth2WebServer.html

redirect_uri

"The value of this parameter must exactly match one of the values registered in the API console (including the http or https schemes, case, and trailing '/')"

In the API console, if I try to register a URL that only my client can resolve, I get: 

• OAuth 2 redirect URL "http://onlyIcansee.whatever.local/mypath" is invalid.

so Google appears to be needlessly checking this URL

[Peter Varga]

And if I try to actually make a request for a code, this is what is returned:

"Invalid parameter value for redirect_uri: .local URIs not allowed"

Why NOT? 

[wirehopper]

Why doesn't matter.

Did you try using "urn:ietf:wg:oauth:2.0:oob"?

[Peter Varga]

Yes I tried - 

Redirect URL "urn:ietf:wg:oauth:2.0:oob" is not allowed for this type of OAuth 2 client.

This makes sense - I am using the web server flow.

[Marius Scurtescu]

Hi Peter,

Currently .local redirect URIs are not supported, but they are on the road map.

We need to treat them specially since they are not uniquely
resolvable, which can introduce security risks.

In the mean time you may have some workarounds. If you can replace
.local with .<corp dns address>.ccTLD, it should work. We only
validate that the ccTLD is valid, not that the address is reachable
from the Internet. Also, you are allowed to register multiple
redirect_uri values.

Marius

[hemp]

In my case I worked around the lack of 'localhost' support by registering with the url localhost.ccTLD (e.g. localhost.mycompany.com). It's not ideal because it requires every dev workstation to add a local dns entry resolving that to localhost, but it does work.

In a former life we worked around the intranet limitation by building a redirector and passing all oauth redirect_uri's through our redirector. It knew how to handle our intranet URIs and allowed those to pass through, but only if the request came from in-house. It may take a couple days to implement well so as not to introduce a security hole in the oauth chain, but it is possible.

It's true that Facebook's oauth implementation doesn't validate redirect domains, but that also may introduce a security vulnerability that would be hard to catch. Since we're trusting identity providers to guard sensitive data in many cases, I don't mind that Google is sticking to the spec. However, it would be very helpful if they could at least add awareness for reserved names (localhost, etc.)