---
title: Validate OAuth Redirect URIs Exactly
impact: CRITICAL
impactDescription: prevents OAuth redirect hijacking
tags: oauth, redirect, uri, validation, security, csharp
---

## Validate OAuth Redirect URIs Exactly

If you are implementing an Identity Provider, you must validate redirect URIs exactly.

**Incorrect (loose validation):**

```csharp
if (redirectUri.StartsWith("https://myapp.com")) // Vulnerable to myapp.com.evil.com
{
    return true;
}
```

**Correct (exact match):**

```csharp
var allowedUris = new List<string> 
{ 
    "https://myapp.com/callback",
    "https://mobile.myapp.com/auth"
};

// Must match exactly
if (!allowedUris.Contains(redirectUri, StringComparer.OrdinalIgnoreCase))
{
    return BadRequest("Invalid redirect_uri");
}
```

**Tools:** IdentityServer, OpenIddict Configuration