To maintain best security practices for our product and for our partner integrations, we’re making a change to how we handle the OAuth redirect that’s used when authenticating registered apps to Mailchimp. By November 10, 2020, you or your developer will need to verify that your app 1) has a saved_URI that matches the submitted_URI, and 2) uses a state parameter if it needs to pass user- or route-specific data.

We’ve determined that this security change impacts your app. Below you’ll find more information about this change and what you need to do.

Background
We require integrations that use OAuth to configure a redirect URI. The user is redirected to this URI after they’ve successfully authenticated with Mailchimp. Previously, we allowed the URI to use fuzzy matching, which means the URI for the registered app didn’t need to be exactly the same as the redirect URI.

Allowing for fuzzy matching isn’t a security best practice, so we’re requiring all current and future registered apps to have a redirect URI that matches their registered URI. 

What you need to do
We’ve determined that your registered app uses OAuth and has at least one redirect URI that doesn't match the registered URI.

Before November 10, you or your developer will want to check that both of the following are true.

Ensure saved_URI and submitted_URI match

It’s a common misconception that the submitted_URI needs to be different for each type of authorization request. This can actually be a security risk, as outlined in the resource linked below.

To ensure your registered app continues to authenticate with Mailchimp after November 10, you’ll want to ensure that the saved_URI matches the submitted_URI.

Use state parameter to pass user- or route-specific data

Depending on the need of your registered app, you may not need to pass user- or route-specific data with your redirect. If you do, however, you can use a state parameter to store data that will be included after the user is redirected.

Additional resources

Okta provides great information about OAuth. In particular, their resource on Redirect URL Registration will give additional context to the importance of having matching registered and redirect URIs and how to use the state parameter.

Questions
If you have any additional questions, please feel free to reply to this email and we’ll be happy to help. 

 
– Mailchimp