Skip to content

Determine whether redirect_uri should be an optional token request parameter even when specified in the authorization request #2414

New issue
New issue
Open
Open
Determine whether redirect_uri should be an optional token request parameter even when specified in the authorization request#2414
Assignees
kevinchalet
Labels
enhancementserver stack
@kevinchalet

Description

@kevinchalet
kevinchalet
opened on Jan 12, 2026

Confirm you've already contributed to this project or that you sponsor it

  • I confirm I'm a sponsor or a contributor

Describe the solution you'd like

While things were simple in OAuth 2.0 (the redirect_uri token request parameter was required when it was specified in the authorization request), things will become a bit more complicated with OAuth 2.1's 9th draft (OAuth 2.1 is still a WIP and has not been adopted yet):

In OAuth 2.1, authorization code injection is prevented by the code_challenge and code_verifier
parameters, making the inclusion of the redirect_uri parameter serve no purpose in the token request.
As such, it has been removed.

For backwards compatibility of an authorization server wishing to support both OAuth 2.0 and
OAuth 2.1 clients, the authorization server MUST allow clients to send the redirect_uri parameter
in the token request and MUST enforce the parameter as described in RFC6749.
The authorization server can use the client_id in the request to determine whether to enforce this
behavior for the specific client that it knows will be using the older OAuth 2.0 behavior.

A client following only the OAuth 2.1 recommendations will not send the redirect_uri in the token
request, and therefore will not be compatible with an authorization server that expects the
parameter in the token request.

It's worth noting that while OpenID Connect requires sending a redirect_uri in the authorization request (and thus in the token request too), OpenIddict already accepts authorization requests that don't have a redirect_uri attached as long as the client application only has a single redirect_uri attached in the DB.

If the OAuth 2.1 specification is adopted as-is, we'll likely want to relax the existing check to allow token requests to be sent with a redirect_uri attached, even if a redirect_uri was initially present in the authorization request (as long as the client application doesn't have multiple redirect_uri registered, at least).

Additional context

https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-14#name-redirect-uri-parameter-in-t

Metadata

Metadata

Assignees

Labels

enhancementserver stack

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions