GPT의 답변

Including the redirect URI in the access token request, even though no redirection occurs at this stage, is primarily for security purposes in the OAuth 2.0 authorization code flow. Here's why it's important:

Validation and Consistency Check: The authorization server uses the redirect URI provided in the access token request to validate against the one used in the initial authorization request. This is a security measure to ensure that the entity exchanging the authorization code for an access token is the same one that initiated the authorization request. It helps to prevent an attack where an authorization code is intercepted and used by a malicious entity.

Preventing Redirect URI Manipulation: By requiring the redirect URI to be included in both the authorization request and the access token request, OAuth ensures that the redirect URI cannot be easily manipulated or altered by an attacker. If the redirect URIs don't match, the token request can be rejected, preventing unauthorized access.

Registered Redirect URIs: Typically, OAuth 2.0 clients register their redirect URIs with the authorization server when they set up their application. The authorization server can then cross-check the redirect URI provided in the token request against the registered URIs to further ensure the legitimacy of the request.

Compliance with OAuth 2.0 Specification: The OAuth 2.0 specification requires this as part of its protocol. Adhering to the specification ensures compatibility and interoperability between different OAuth 2.0 implementations.

In summary, the inclusion of the redirect URI in the token request is a security measure designed to ensure that the token is issued to the legitimate and authorized client. It prevents a class of attacks where an authorization code might be intercepted or redirected to a malicious client.

결론

1. Authorization Code를 발급하고 돌아오는 Redirect URL은 존재합니다.

2. 해당 URL과는 별개로 그 발급된 Authorization Code를 가지고 server-to-server로 Access Token 발급요청을 해야합니다.

3. Access Token을 발급하는 단계에서는 Redirect URL이 필요 없습니다.

4. 그럼에도 작성하는 이유는 위와 같은 보안 문제 때문입니다.