redirect_uri required when exchanging an authorization code for an access token

Google Cloud Apigee
1

I have the following OAuth V2 policy, which seems fairly standard:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 async="false" continueOnError="false" enabled="true" name="GenerateAccessToken">
    <DisplayName>GenerateAccessToken</DisplayName>
    <Properties/>
    <Attributes/>
    <ExternalAuthorization>false</ExternalAuthorization>
    <SupportedGrantTypes>
        <GrantType>authorization_code</GrantType>
        <GrantType>refresh_token</GrantType>
    </SupportedGrantTypes>
    <GenerateResponse enabled="true"/>
    <Tokens/>
    <RefreshToken>request.formparam.refresh_token</RefreshToken>
</OAuthV2>

However, I’m encountering the issue that the request fails when I don’t include a redirect_uri when exchanging an authorization code for an access token: {“ErrorCode” : “invalid_request”, “Error” :“Required param : redirect_uri”}

Nowhere have I explicitely configured in the policy that it should be required, and according to the Apigee documentation, it should be optional.

It should be and is required when requesting an authorization code, but it shouldn’t when exchanging that code for an access token, because this is server-to-server communication anyway.

What’s causing the redirect_uri to be required in this case? Have I made a mistake with configuring the proxy?

2

I think the redirect_uri is optional only if you haven’t specified it in the initial /authorize call. If you have specified it in the /authorize call, then you also need to specify it in the /token call. That is what I recall reading in RFC 6749, and that is how I believe Apigee’s OAuth2 policy behaves.

Yep, just checking now, this is what the spec says:

rfc6749-sec4.1.3.png
rfc6749-sec4.1.3.png1454Ă—1028 109 KB

If the Apigee documentation does not describe the redirect_uri parameter to the /token request in a way that is consistent with the above, then the Apigee documentation is probably incorrect.

1 Like
3

Thanks for clarifying. I did not realize this is actually part of the RFC.