[Openid-specs-ab] Additional issues with redirect

Richer, Justin P. jricher at mitre.org
Sat May 19 00:17:47 UTC 2012

As I read things, I see it as an error as well. I can see the point in relaxing, since it would mean less to remember for both client and AS, but I think it's clearer if there's one code path, and only one path, to take if the client sends the redirect_uri to the authz endpoint. 

I feel like this needs flowcharts or something. Maybe I'll try to draw them up for the group sometime here.

 -- Justin
From: John Bradley [ve7jtb at ve7jtb.com]
Sent: Friday, May 18, 2012 5:41 PM
To: Richer, Justin P.
Cc: <openid-specs-ab at lists.openid.net>
Subject: Re: [Openid-specs-ab] Additional issues with redirect


What is your interpretation opt OAuth where:
1: the client registers multiple redirect_uri.
2: The client senda a redirect_uri in authz request with query paramaters.
3: The authz server matches the redirect URI with one of the registered ones up to the query string.
4: The client makes a request to the token endpoint without a redirect_uri

Is this fine or an error.

My reading of the OAuth Draft implies that this should return an error.

Though from a security point of view the authz server matching the first time should be sufficient.


This is needs to be clear for interop.  If a client only registers one redirect_uri and simply sends a redirect_uri in the request to maintain some state in a query parameter,  should it be forced to remember that parameter and sent it in the request to the token endpoint?

John B.

More information about the Openid-specs-ab mailing list