2.4. Management of Client Redirect URIs
2.4. Management of Client Redirect URIs
OAuth 2.0 [RFC6749] allows clients to use unregistered redirect_uri values in certain circumstances or for the authorization server to apply its own matching semantics to the redirect_uri value presented by the client at the authorization endpoint. However, the OAuth security BCP [OAUTH-SECURITY-TOPICS] as well as the OAuth 2.1 specification [OAUTH-V2] require an authorization server to exactly match the redirect_uri parameter against the set of redirect URIs previously established for a particular client. This is a means for early detection of client impersonation attempts and prevents token leakage and open redirection. As a downside, this can make client management more cumbersome since the redirect URI is typically the most volatile part of a client policy.
The exact matching requirement MAY be relaxed when using PAR for clients that have established authentication credentials with the authorization server. This is possible since, in contrast to a conventional authorization request, the authorization server authenticates the client before the authorization process starts and thus ensures it is interacting with the legitimate client. The authorization server MAY allow such clients to specify redirect_uri values that were not previously registered with the authorization server. This will give the client more flexibility (e.g., to mint distinct redirect_uri values per authorization server at runtime) and can simplify client management. It is at the discretion of the authorization server to apply restrictions on supplied redirect_uri values, e.g., the authorization server MAY require a certain URI prefix or allow only a query parameter to vary at runtime.
Note: The ability to set up transaction-specific redirect URIs is also useful in situations where client IDs and corresponding credentials and policies are managed by a trusted third party, e.g., via client certificates containing client permissions. Such an externally managed client could interact with an authorization server trusting the respective third party without the need for an additional registration step.