[Openid-specs-ab] Additional issues with redirect

John Bradley ve7jtb at ve7jtb.com
Fri May 18 21:41:08 UTC 2012


What is your interpretation opt OAuth where:
1: the client registers multiple redirect_uri.
2: The client senda a redirect_uri in authz request with query paramaters.
3: The authz server matches the redirect URI with one of the registered ones up to the query string.
4: The client makes a request to the token endpoint without a redirect_uri

Is this fine or an error.   

My reading of the OAuth Draft implies that this should return an error.

Though from a security point of view the authz server matching the first time should be sufficient.


This is needs to be clear for interop.  If a client only registers one redirect_uri and simply sends a redirect_uri in the request to maintain some state in a query parameter,  should it be forced to remember that parameter and sent it in the request to the token endpoint?

John B.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4937 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120518/ea0285c0/attachment.p7s>

More information about the Openid-specs-ab mailing list