Yammer will now restrict redirect URLs to the specific URL provided

December 4, 2018
The original article is published on the Microsoft Tech Community Yammer Blog.

During a recent security review, the Yammer team investigated making a change to the redirect URL that apps use to redirect users from Yammer’s Allow/Deny screen back into their app. The redirect URL setting allows app developers to determine where the authorizing OAuth user’s access token is sent and in certain configurations could be used to trick the user into revealing their credentials to a malicious party.
To prevent this, Yammer has decided to change the redirect URL validation so that only one domain can be redirected to, rather than allowing the redirect URL to specify subdomains during the request.

Discuss this article in the Microsoft Technical Community.