问题
The RFC for Oauth2 says the redirect_uri
which was specified when generating the authorization code must be included in the request to exchanging the code for an access token.
From the RFC:
4.1.3. Access Token Request
The client makes a request to the token endpoint by sending the following parameters using the "application/x-www-form-urlencoded" format per Appendix B with a character encoding of UTF-8 in the HTTP request entity-body:
[...]
redirect_uri
REQUIRED, if the "redirect_uri" parameter was included in the authorization request as described in Section 4.1.1, and their values MUST be identical.
https://tools.ietf.org/html/rfc6749#section-4.1.3
Why is the redirect_uri
required when exchanging the code for an access token? What benefit does this provide?
回答1:
It is described in 10.6. Authorization Code Redirection URI Manipulation:
https://tools.ietf.org/html/rfc6749#section-10.6
来源:https://stackoverflow.com/questions/54717704/purpose-of-redirect-uri-parameter-when-exchanging-code-for-access-token