#sknebelso to explicitly go back to the question again: A whitelist is probably fine. otherwise you could check if it explicitly matches the possible parameter combinations for the various specs (where e.g. redirect_uri and callback_url in one request would be forbidden)