Stricter Redirect Checks Required on Log In With PayPal Applications

Over the next few weeks we will be releasing a security update to Log In With PayPal. This update will impose stricter checks around verification of the redirect_uri parameter passed in the application and the redirect_uri that was used when signing up for application credentials on the PayPal developer application dashboard.

This update will require merchants and developers to update their existing applications if there is a mismatch between the redirect URI used in the application code and with the application details on the PayPal developer application dashboard.

All parts of the URI — Protocol, host, port, context path, and query parameters (including parameter names and values) — must match, with the exception of the state query parameter. The state query parameter can be used for merchants/developers to pass state information that is not known at the time of registering the application redirect URI.

How do I verify if I need to make a change?

Follow these steps to ensure that you have matching redirect_uri parameters between your code and the application you signed up for:

1. Load up your application on the PayPal developer application dashboard. Take note of the “Return URL” under the “Sandbox App Settings” section at the bottom of the application, as shown here:

1. Go into your application code, and look at the redirect_uri parameter being passed to the /authorization, /token, and /endsession (if used) endpoints for Log In With PayPal.
2. If anything but the state query string parameter values (protocol, host, port, context path, or query string parameters other than state) do not match, then you need to update your application.

How do I make the change to our application?

You have two options with this change, you can either update the redirect_uri parameters within the PayPal developer application dashboard application (recommended) or you can change those redirects in your code.

Changing the redirects in the application is by far the easier option, which is why it’s recommended. Simply change the URIs in the application to match those that are actually used in your code and click save. That is all that is required.

If you choose to go the route of modifying your code, just ensure that the redirect_uri parameters in the code match those used within the PayPal developer dashboard application.

What if I need more time to implement this fix, or need support?

For support requests, please post the issue and all applicable code to Stack Overflow with the PayPal tag. Our support teams will be monitoring those forums and can help with integration problems.

If you need additional time to make these updates, or have any issues, please contact Customer Support and they will be able to assist you further.