- What is it?
- It specifies the allowed
redirect_urito return tokens or authorization codes to. Learn more about the /authorize request here.
- The best way to ensure the user will only be directed to appropriate locations is to require the developer, you to register one or more
redirect_uriwhen you create the application. You need to provide your own
redirect_uriand send it to firstname.lastname@example.org so it can be whitelisted.
- Why should it be whitelisted at MobilePay?
- MobilePay will only redirect users to a registered
redirect_uri, in order to prevent redirection attacks where an authorization code or access token can be obtained by an attacker. MobilePay allows you to register multiple
- How long does it take to have it whitelisted?
- It takes approximately 5 mins to have it whitelisted, once we have seen your e-mail request. send the redirect_uri to email@example.com and we will confirm once it has been whitelisted.
- What format should it have?
- In order to be secure, the
redirect_urimust be an https endpoint to prevent tokens from being intercepted during the authorization process. If your
redirect_uriis not https, then an attacker may be able to intercept the authorization code and use it to hijack a session.
redirect_urishould be HTTPS
- They cannot be dynamic. Here is what says in the OpenID Connect specification: Redirection URI to which the response will be sent. This URI must exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider,
- You can use http://127.0.0.1:7890 only on local machines, which is why it will not work when the code is running in the server.
- It is only for beginning and for testing purposes on a local machine, for example when doing tests, as no deployments is needed so it is very fast to get results.
- Debugging -
- If you get an invalid Redirect error, please ensure that you've used the
redirect_uri, that has been whitelisted at MobilePay.
- Remember that you need to contact firstname.lastname@example.org when you need to have registered redirect URI's for both sandbox and production.
We recommend that after you complete local development, remove localhost and related domains from your configuration list.