Can I authenticate a client using OAuth2 without redirect_uri?

Hi guys

Can I authenticate a client using OAuth2 without redirect_uri? I’m using the post message approach, where I open a pop-up window and wait for a callback message from the pop-up. Is this the best approach? Can I do that in a different way?

Thank you and cheers!

redirect_uri is a required parameter according to the spec.

Are you using one of our SDKs? Auth0.js handles popup automatically for you.


Yes, there are ways to authenticate a client without defining the redirect_uri but it depends on the application whether or not that would be appropriate. I recommend reviewing this article to help make the decision about which authentication flow would be the best to use with your particular application.

I second @luis.rudge’s suggestion to use the Auth0 SDK. It makes it really easy to implement a secure OAuth workflow.

Any additional information you can give about your application would be helpful. Is there any reason in particular that you wouldn’t want/be able to give a redirect_uri?


Thank you for all the infos, including the excellent article about OAuth2 flows.

My application is a WordPress plugin that integrates with OAuth2 with my Authentication Server. I can’t register previously a redirect URI because we don’t know who installs our plugin. So, by the dynamic nature of this, we can’t have a callback URI. We are thinking about a intermediary app with a fixed callback URI that communicates the access_token with our WordPress plugin using JavaScript postMessage. We don’t about security concerns and if this is the best approach.

I don’t know enough about your scenario, but what you said is what we suggest for people that have multiple apps in multiple domains, for example. So you create a intermediate service, which receives the callback and sends it back to the correct app afterwards. The issue with this approach is that you have to create another service etc.

You might want to use the Management API to add the callback url dinamically, when the plugin is setup etc. I’m not sure this is possible with the WordPress plugin infrastructure, though.