Is "Authorized redirect URI" mandatory when setting up a new clientId under google developers console?
The authorized redirect URI is used by google to do a callback to pass the authorization token.
It is also used for validation by google. So when receiving the actual oauth request, google checks to see if the callback url given in the request is same as "Authorized redirect URI" and if not it throws error.
My requirement is to prevent google from doing this validation as I want to be able to pass different callback urls at run time . I tried giving the "authorized redirect URI" as empty, but that doesn't work. Any suggestions ?
Answer
Yes, in Google OAuth 2.0, although you can set no uris in REDIRECT URIS, it doesn't make any sense. Redirect uri is required in client registration and oauth flows(authorization code flow and implicit flow). Lack of a redirection URI registration requirement can enable an attacker to use the authorization endpoint as an open redirector.
You mentioned that LinkedIn enabled open redirectURI. This is not acceptable in security. And I've noticed that LinkedIn has fixed this issue.
In order to make the LinkedIn platform even more secure, and so we can comply with the security specifications of OAuth 2, we are asking those of you who use OAuth 2 to register your application's redirect URLs with us by April 11, 2014.
Here is LinkedIn's announcement.