What is it?
The best way to ensure the user will only be directed to appropriate locations is to require the developer, you to register one or more redirect URLs when you create the application. You need to provide your own Redirect URL and send it to firstname.lastname@example.org so it can be whitelisted.
Why should it be whitelisted at MobilePay?
MobilePay will only redirect users to a registered URL, in order to prevent redirection attacks where an authorization code or access token can be obtained by an attacker. MobilePay allows you to register multiple redirect URLs.
In order to be secure, the redirect URL must be an https endpoint to prevent tokens from being intercepted during the authorization process. If your redirect URL is not https, then an attacker may be able to intercept the authorization code and use it to hijack a session.
They cannot be dynamic. Here is what says in the OpenID Connect specification: Redirection URI to which the response will be sent. This URI must exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
All redirects should be HTTPS, unless it is localhost
- You can use http://127.0.0.1:7890 only on local machines, which is why it will not work when the code is running in the server.
- It is only for beginning and for testing purposes on a local machine, for example when doing tests, as no deployments is needed so it is very fast to get results.
Debugging - Invalid redirect URI
If you get an invalid Redirect error, please ensure that you've used the URI, that has been whitelisted at MobilePay.
Remember that you need to contact email@example.com when you need to have registered redirect URI's for both sandbox and production.
We recommend that after you complete local development, remove localhost and related domains from your configuration list.