[Openid-specs-ab] [openid/connect] Inconsistent treatment of redirect_uri parameter (issue #669)
issues-reply at bitbucket.org
Fri Oct 19 21:13:25 UTC 2012
--- you can reply above this line ---
New issue 669: Inconsistent treatment of redirect_uri parameter
OAuth 2.0 (RFC 6749!) defines redirect_uri as an optional parameter in an authorization request in cases where the client has a single unambiguous redirect_uri registered with the AS and then only requires it in an access token request when it had previously been included in the corresponding authorization request .
The treatment of redirect_uri in the Connect specs isn't always consistent with OAuth, however, and is also somewhat internally inconsistent though different Connect specs.
Standard has redirect_uri required in the authorization request  while allowing it to be omitted in the token request . Messages has it required  as does Basic  and Implicit . The wording in Registration seem to suggest that it's required .
I'd argue that Connect should be consistent with the OAuth for redirect_uri treatment. It should be optional/required under the same conditions as in OAuth (unless there is some compelling reason to differ). It might make sense to just defer directly to OAuth for the core parameter definitions and only define in Connect additional parameters or those that do need to be treated differently.
This is an issue notification from bitbucket.org. You are receiving
this either because you are the owner of the issue, or you are
following the issue.
More information about the Openid-specs-ab