This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

redirect_uri required when exchanging an authorization code for an access token

Posted on 12-14-2021 08:48 AM
AlainStoffels
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

I have the following OAuth V2 policy, which seems fairly standard: 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="GenerateAccessToken">
    <DisplayName>GenerateAccessToken</DisplayName>
    <Properties/>
    <Attributes/>
    <ExternalAuthorization>false</ExternalAuthorization>
    <SupportedGrantTypes>
        <GrantType>authorization_code</GrantType>
        <GrantType>refresh_token</GrantType>
    </SupportedGrantTypes>
    <GenerateResponse enabled="true"/>
    <Tokens/>
    <RefreshToken>request.formparam.refresh_token</RefreshToken>
</OAuthV2>

However, I'm encountering the issue that the request fails when I don't include a redirect_uri when exchanging an authorization code for an access token: {"ErrorCode" : "invalid_request", "Error" :"Required param : redirect_uri"}

Nowhere have I explicitely configured in the policy that it should be required, and according to the Apigee documentation, it should be optional.

It should be and is required when requesting an authorization code, but it shouldn't when exchanging that code for an access token, because this is server-to-server communication anyway.

What's causing the redirect_uri to be required in this case? Have I made a mistake with configuring the proxy?

Solved Solved
0 2 311
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

I think the redirect_uri is optional only if you haven't specified it in the initial  /authorize call.  If you have specified it in the /authorize call, then you also need to specify it in the /token call.  That is what I recall reading in RFC 6749, and that is how I believe Apigee's OAuth2 policy behaves.

Yep, just checking now, this is what the spec says: 

rfc6749-sec4.1.3.png

If the Apigee documentation does not describe the redirect_uri parameter to the /token request in a way that is consistent with the above, then the Apigee documentation is probably incorrect.  

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

I think the redirect_uri is optional only if you haven't specified it in the initial  /authorize call.  If you have specified it in the /authorize call, then you also need to specify it in the /token call.  That is what I recall reading in RFC 6749, and that is how I believe Apigee's OAuth2 policy behaves.

Yep, just checking now, this is what the spec says: 

rfc6749-sec4.1.3.png

If the Apigee documentation does not describe the redirect_uri parameter to the /token request in a way that is consistent with the above, then the Apigee documentation is probably incorrect.  

Jump to Solution

Posted on --/--/---- --:-- AM
AlainStoffels
Bronze 3
Bronze 3
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thanks for clarifying. I did not realize this is actually part of the RFC.

Jump to Solution
0 Likes
Top Solution Authors
View all