Why is redirect_uri being checked by Google

5,739 views
Skip to first unread message

Peter Varga

unread,
Nov 28, 2011, 2:51:04 PM11/28/11
to oauth...@googlegroups.com
When I register an application, I can't specify a host name in redirect_uri other than 'localhost' or something accessible over the internet. In my case, I need to allow for host names that can only be resolved on my intranet. Why is Google checking the redirect_uri? Facebook doesn't. All you should care about is that it the registered redirect_uri is a prefix for the one provided in a login request.

wirehopper

unread,
Nov 29, 2011, 7:24:02 AM11/29/11
to oauth2-dev
I am using "urn:ietf:wg:oauth:2.0:oob" for a redirect URI for a web
application hosted on a server that is only accessible within an
intranet, and it works well.

http://code.google.com/apis/accounts/docs/OAuth2InstalledApp.html#choosingredirecturi

Message has been deleted

Peter Varga

unread,
Nov 30, 2011, 9:45:13 AM11/30/11
to oauth...@googlegroups.com
That link refers to the "installed apps" flow

redirect_uri
"The value of this parameter must exactly match one of the values registered in the API console (including the http or https schemes, case, and trailing '/')"

In the API console, if I try to register a URL that only my client can resolve, I get: 

so Google appears to be needlessly checking this URL

Peter Varga

unread,
Nov 30, 2011, 11:09:45 AM11/30/11
to oauth...@googlegroups.com
And if I try to actually make a request for a code, this is what is returned:
"Invalid parameter value for redirect_uri: .local URIs not allowed"

Why NOT? 

wirehopper

unread,
Nov 30, 2011, 11:58:46 AM11/30/11
to oauth2-dev
Why doesn't matter.

Did you try using "urn:ietf:wg:oauth:2.0:oob"?

Peter Varga

unread,
Nov 30, 2011, 1:28:50 PM11/30/11
to oauth...@googlegroups.com
Yes I tried - 
Redirect URL "urn:ietf:wg:oauth:2.0:oob" is not allowed for this type of OAuth 2 client.

This makes sense - I am using the web server flow.

Marius Scurtescu

unread,
Nov 30, 2011, 2:13:01 PM11/30/11
to oauth...@googlegroups.com
Hi Peter,

Currently .local redirect URIs are not supported, but they are on the road map.

We need to treat them specially since they are not uniquely
resolvable, which can introduce security risks.

In the mean time you may have some workarounds. If you can replace
.local with .<corp dns address>.ccTLD, it should work. We only
validate that the ccTLD is valid, not that the address is reachable
from the Internet. Also, you are allowed to register multiple
redirect_uri values.

Marius

hemp

unread,
Dec 12, 2011, 4:31:40 PM12/12/11
to oauth...@googlegroups.com
In my case I worked around the lack of 'localhost' support by registering with the url localhost.ccTLD (e.g. localhost.mycompany.com). It's not ideal because it requires every dev workstation to add a local dns entry resolving that to localhost, but it does work.

In a former life we worked around the intranet limitation by building a redirector and passing all oauth redirect_uri's through our redirector. It knew how to handle our intranet URIs and allowed those to pass through, but only if the request came from in-house. It may take a couple days to implement well so as not to introduce a security hole in the oauth chain, but it is possible.

It's true that Facebook's oauth implementation doesn't validate redirect domains, but that also may introduce a security vulnerability that would be hard to catch. Since we're trusting identity providers to guard sensitive data in many cases, I don't mind that Google is sticking to the spec. However, it would be very helpful if they could at least add awareness for reserved names (localhost, etc.)
Reply all
Reply to author
Forward
0 new messages