- What is it?
- It specifies the allowed
redirect_urito return tokens or authorization codes to. Learn more about the /authorize request here.
- The best way to ensure the user will only be directed to appropriate locations is to require the developer, you to register one or more
redirect_uriwhen you create the application. You need to provide your own
redirect_uriand send it to email@example.com so it can be whitelisted.
- Why should it be whitelisted at MobilePay?
- MobilePay will only redirect users to a registered
redirect_uri, in order to prevent redirection attacks where an authorization code or access token can be obtained by an attacker. MobilePay allows you to register multiple
- How long does it take to have it whitelisted?
- We will whitelist is as soon as we process your email request. Send the redirect_uri to firstname.lastname@example.org and we will confirm once it has been whitelisted.
- What format should it have?
- In order to be secure, the
redirect_urimust be an https endpoint to prevent tokens from being intercepted during the authorization process. If your
redirect_uriis not https, then an attacker may be able to intercept the authorization code and use it to hijack a session.
redirect_urishould be HTTPS
- They cannot be dynamic. Here is what says in the OpenID Connect specification: Redirection URI to which the response will be sent. This URI must exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider,
- Debugging -
- If you get an invalid Redirect error, please ensure that you've used the
redirect_uri, that has been whitelisted at MobilePay.
- Remember that you need to contact email@example.com when you need to have registered redirect URI's for both sandbox and production.