为什么在访问令牌请求上需要redirect_uri? [英] Why is redirect_uri required on Access Token request?

问题描述

我正在基于 rfc6749 开发一个oauth2提供程序，我想知道为什么访问令牌请求上是否需要redirect_uri?/token端点未重定向，并且假定状态已经验证(即针对CSRF)，因此redirectURI的副本对我来说意义不大.

I'm developing an oauth2 provider based on rfc6749 and I'm wondering, why is redirect_uri required on the Access Token Request? The /token endpoint is not redirecting and the state is assumed to be already validated (i.e. against CSRF) so a copy of the redirectURI doesn't make much sense to me.

推荐答案

在身份验证代码流中，它用于在第一个身份验证请求中验证redirect_uri. https://www.oauth.com/oauth2-servers/redirect-uris/redirect-uri-validation/

In auth code flow, it's used to validate the redirect_uri in the first auth request. https://www.oauth.com/oauth2-servers/redirect-uris/redirect-uri-validation/

授予访问令牌

令牌端点将收到一个交换授权的请求 访问令牌的代码.该请求将包含一个重定向URL为 以及授权码.作为一种额外的安全措施， 服务器应验证此请求中的重定向URL是否匹配 恰好包含在初始名称中的重定向URL 此授权码的授权请求.如果重定向URL 不匹配，服务器将拒绝请求并显示错误.

The token endpoint will get a request to exchange an authorization code for an access token. This request will contain a redirect URL as well as the authorization code. As an added measure of security, the server should verify that the redirect URL in this request matches exactly the redirect URL that was included in the initial authorization request for this authorization code. If the redirect URL does not match, the server rejects the request with an error.

这篇关于为什么在访问令牌请求上需要redirect_uri?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！