Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

<@U04UQ68083H> when we call hydra /oauth2/auth api with redirect_uri param, does hydra validate this redirect_uri value with oauth2 client's callback url ?

Yes. Hydra validates that the redirect_uri in /oauth2/auth matches one of the client’s pre-registered redirect URLs. This is explicitly called out as a security principle (“Validate Pre-Registered 'redirect_uri'” and binding the authorization code to the redirect_uri), and troubleshooting docs emphasize that the redirect URL must be whitelisted on the client and match exactly (including query params) (["OAuth 2.0 security overview"](<https://www.ory.sh/docs/hydra/security-architecture>), ["Refresh Token flow fails"](<https://www.ory.sh/docs/hydra/debug#refresh-token-flow-fails>), ["Resolve redirect URL mismatch errors"](<https://www.ory.sh/docs/getting-started/integrate-auth/auth-js#resolve-redirect-url-mismatch-errors>)).