I am dealing with Google api(oauth2.0) and DropBox api (oauth1.0),
just wondering how can I protect the redirect_uri that can only call by google server and oauth_callback by Dropbox server only.
Do I check their ip ? Since the url is always public, if there are no protection for it, there could be someone find out the uri and do the attack without anything notice from the server.
are there any guidelines that I have missed?
[edited] I was wrong that redirect_uri and oauth_callback are actually called by the clients, not the auth server. So I should check the end user ip to make sure they are the same one requesting the token.
I don't think you're preventing any attack by checking IPs. Normal users won't disclose their tokens, so you shouldn't get bogus secrets for tokens that you obtained. If an attacker controls your user's computer and obtains the token, they can also use the computer to make requests to your redirect_uri, so the IP check will go through.
On the other hand, you should make sure that you use https for the OAuth flow, so tokens are protected from network sniffing.