When operating an OAuth2 Authorization Server:
The authorization server MUST require the following clients to
register their redirection endpoint:o Public clients.
o Confidential clients utilizing the implicit grant type.
The authorization server SHOULD require all clients to register their
redirection endpoint prior to utilizing the authorization endpoint.…
Lack of a redirection URI registration requirement can enable an
attacker to use the authorization endpoint as an open redirector as
described in Section 10.15.
Is there any added security benefit to enforcing a uniqueness constraint on registered redirect_uris? That is, any given redirect_uri could be associated with at most one particular client?
I’m thinking particularly for the case of public clients, where the redirect_uri is the only means the authorization server has to identify the client (since the client cannot protect client credentials), but I’m also interested in answers about private clients.
Are there any vulnerabilities exposed if an attacker could register a new client with the same redirect_uri as an existing client?
