Should we validate the plugin_id in redirect_uri or not?


We implemented the entire auth flow, following both the Oauth RFC and OpenAI documentation.

There is only something that remains unclear thought.

The documentation says that the Authorize endpoint (auth.client_url) will be called with the redirect_uri parameter formatted as follow:<some_plugin_id>/oauth/callback

Our backend is going to verify that the redirect_uri matches the domain.

However, should we also validate that the plugin_id corresponds to the ClientId entered during the plugin installation process, or trusting the domain of redirect_uri is enough?

Let me know if you need some clarification :slight_smile:

Thanks for your help folks.