Some authorization servers allow clients to register redirect URI patterns instead of complete redirect URIs. This approach turned out to be more complex to implement and more error prone to manage than exact redirect URI matching. Several successful attacks exploiting flaws in the pattern matching implementation or concrete configurations have been observed in the wild.
OAuth 2.0 Security Best Current Practice (draft 25) (SecBCP, section 4.1.1)
This threat is considered fully mitigated if all the test cases from one of the following test sets succeed.
Back to the threat overview