Is it possible to use OAuth 2.0 without a redirect server?

Yes, it is possible to use OAuth2 without a callback URL.
The RFC6749 introduces several flows. The Implicit (now deprecated[1]) and Authorization Code grant types require a redirect URI. However the Resource Owner Password Credentials (deprecated as well[1]) grant type does not.

Since RFC6749, other specifications have been issued that do not require any redirect URI:

Also, with OpenID Connect, the response mode is not necessarily a redirection to the redirect_uri parameter, but can be a POST request to that endpoint. See the OAuth 2.0 Form Post Response Mode specification for more details.

In any case, if the grant types above do not fit on your needs, nothing prevent you from creating a custom grant type.

[1]: OAuth 2.1 specification (draft 07)

Leave a Comment