[Openid-specs-fapi] Issue #128: redirect_uri in url query vs request object (openid/fapi)

Joseph Heenan issues-reply at bitbucket.org
Fri Jan 12 08:27:38 UTC 2018

New issue 128: redirect_uri in url query vs request object

Joseph Heenan:

FAPI part 1 says "shall require the `redirect_uri` parameter in the authorization request;".

It's not 100% clear to me what this means.

OpenBanking appear to have interpreted it as meaning "the redirect_uri must be present in the url query". OpenBanking also require the redirect_uri to be within the request object. The core specs clearly say that if both are present the request object one overrides the url query one.

I think we should be clearer; I am thinking that if the redirect_uri is present in the request object it should NOT be in the url query. Having the uri is two places just seems unnecessary and potentially result in the AS using the wrong one in some paths.

More information about the Openid-specs-fapi mailing list