oauth implementation security

Hi @essy Welcome to the community!

Would you mind sharing the call you made for updating the redirect URL? 
As for your second question, I’m checking with our technical team for you. :) 

If you think of anything else in the meantime, please let me know!

Hi @essy 

We do check if the redirect_uri is part of the ones that were defined in the application settings. If it’s not you should see a “BAD REDIRECT URI” error.

And for your second question: if a user first authorized your app with accounts:read and forms:read scopes but later on you add another scope like forms:write. The second time they go through the authorization flow they should see the newly added scope.

Hope it makes sense

hello, thanks for getting back to me, I tried the following:

GET /login/oauth?client_id=BA8U1Z2G37NLMbi8rcyfWd8KVz5QxTDxdU7c1ErvSAEQ&redirect_uri=https%3A%2F%2Fec2-18-237-101-174.us-west-2.compute.amazonaws.com HTTP/2

Host: admin.typeform.com

and it returned back a HTTP/2 200 OK

Date: Thu, 14 Oct 2021 22:26:36 GMT

Hi @essy,

I am not sure I understand what is your issue.

You can find more details about our oAuth flow and the different steps in our documentation.
 

If you are using Javascript you can find a working example over here.

Finally, if this is the first time implementing oauth, Anabella Spinelli wrote a really nice article to explain the “oauth dance”.

Keep us updated 😉

Hello, I was just asking if it’s a potential security vulnerability that the redirect_uri can be modified and the server returns a HTTP 200!

Ok thank you for the clarification, I was just reviewing the security around your oauth implementation and flow. Thanks!