we know that we need to pass both client_id and redirect_uri in the authorization request. https://www.ory.sh/docs/oauth2-oidc/authorization-code-flow#step-1-get-the-users-permission But isn't that client app already registered its redirect url in authorization server? so only client_id is needed for the authorization server to look up and retrieve redirect_uri automatically as long as client_id is the correct one?
1 Answer
As pointed out in the OAuth 2.0 specification, the redirect_uri in the Authorization Request is optional. It's only necessary if the client hasn't previously registered a redirection endpoint, or if they've registered multiple redirection endpoints. Both cases are valid.
If there's a single pre-registered redirection endpoint, then the redirect_uri parameter can indeed be omitted.
- 1Note that some implementations may make it mandatory even if there is only one redirection endpoint (mostly to make sure that things don't break when one suddenly adds a new endpoint and the server can no longer guess what redirection endpoint to use).jcaron– jcaron2024-07-20 15:29:36 +00:00Commented Jul 20, 2024 at 15:29