Redirect URI Validation Policies#

OAuth Clients may require one or more redirect URIs, depending on their Client Capabilities .

Redirect URI validation policies define a set of rules that are used to determine whether a provided redirect URI is acceptable with respect to what is allowed by configuration.

A validation policy can specify some validation rules to be omitted or loosened up. A number of rules are only applicable to authenticated requests, where it is possible to authenticate the client or the authenticity and integrity of the request parameters. This is the case for Pushed Authorization Requests and Secured Authorization Request (JAR).

Configuring Validation Policies#

Multiple Redirect URI validation policies can be configured for a Token Profile, where one policy should be set as the default policy.

The default policy is used to validate the redirect URI that a client uses, unless the client is configured to use another redirect URI validation policy.

See Client Redirect URI Validation for how to configure a validation policy for a client.

For Dynamically Registered Clients , either the profile’s default validation policy is used, or the one validation policy that is configured for non-templatized DCR settings is used for all non-templatized DCR clients.

Redirect URI validation policies will only be available when validate-port-on-loopback-interfaces is enabled and allow-per-request-redirect-uris are disabled, which is the case by default.

The following Figure shows an example Validation Policy:

Admin UIProfilesOauthOauth DevRedirect Uri Policies

Configuring a Redirect URI Validation Policy in the Token Profile.

An example Validation Policy in the Admin UI
An example Validation Policy in the Admin UI. (Admin UI version: 10.6)

Available configuration settings:

  • Allow localhost variations: Disable all validations when the URI is localhost, such as port, path etc.
  • Allow query string variations: Allow the query string of the redirect_uri to be different per request.
  • Authenticated Authorization Requests
    • Validate Port - Consider the port in the URL when comparing the registered URI with the requested redirect_uri.
    • Validate Path - Validate the path part of the URI to match exactly the registered path.
    • Allow Suffix Path - Allow the registered path to be appended with suffix path parts per request.
    • Validate Query String - Validate the query string to match (Dynamic Clients) or start with the configured query string (Configuration Clients). If disabled, any query string value is acceptable.
    • Domain Validation - Validation on the domain parts of the URI, one of exact | no-validation | tld-plus-one | tls-plus-two.
  • Registration Validation
    • Allow HTTP - Allow a client to register a non-TLS http redirect_uri

Notice that some of the options in a validation policy are inherently unsafe! They must not be used in Production and are provided only for testing and debugging purposes.

If multiple Validation Policies are configured in a Token Profile, make sure to also configure the adequate policy for each OAuth Client.

Was this helpful?