[Openid-specs-ab] Additional issues with redirect

Breno de Medeiros breno at google.com
Tue May 22 18:05:39 UTC 2012

On Tue, May 22, 2012 at 10:58 AM, Nat Sakimura <sakimura at gmail.com> wrote:
> Just to clarify.
> The value of the state parameter changes each time so it cannot be
> registered to be exact match of course.
> So what is the concrete matching rule?
> Match the scheme, host, port and query parameter names?

No, we match the redirect_uri exactly. The only way to pass state in a
request to Google Auth server is to use the state parameter.

> =nat via iPhone
> On 2012/05/19, at 14:34, Breno de Medeiros <breno at google.com> wrote:
>> Google authz server requires exact match and allows no query
>> parameters. The OAuth2 protocol was designed to support this by adding
>> a pre-defined state parameter.


More information about the Openid-specs-ab mailing list