diff --git a/oauth2/handlers.go b/oauth2/handlers.go
index 7c7d03d..c179f6a 100644
--- a/oauth2/handlers.go
+++ b/oauth2/handlers.go
@@ -733,12 +733,21 @@ func (s *Server) redirectWithError(w http.ResponseWriter, r *http.Request, redir
 		return
 	}
 
-	u, err := url.Parse(redirectURI)
+	// Normalize backslashes to forward slashes before parsing
+	normalized := strings.ReplaceAll(redirectURI, "\\", "/")
+
+	u, err := url.Parse(normalized)
 	if err != nil {
 		s.renderLoginError(w, description)
 		return
 	}
 
+	// Only allow local redirects (no hostname)
+	if u.Hostname() != "" {
+		s.renderLoginError(w, description)
+		return
+	}
+
 	q := u.Query()
 	q.Set("error", errCode)
 	q.Set("error_description", description)