[Openid-specs-ab] Additional issues with redirect
John Bradley
ve7jtb at ve7jtb.com
Fri May 18 21:41:08 UTC 2012
Justin,
What is your interpretation opt OAuth where:
1: the client registers multiple redirect_uri.
2: The client senda a redirect_uri in authz request with query paramaters.
3: The authz server matches the redirect URI with one of the registered ones up to the query string.
4: The client makes a request to the token endpoint without a redirect_uri
Is this fine or an error.
My reading of the OAuth Draft implies that this should return an error.
Though from a security point of view the authz server matching the first time should be sufficient.
Thoughts?
This is needs to be clear for interop. If a client only registers one redirect_uri and simply sends a redirect_uri in the request to maintain some state in a query parameter, should it be forced to remember that parameter and sent it in the request to the token endpoint?
John B.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4937 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120518/ea0285c0/attachment.p7s>
More information about the Openid-specs-ab
mailing list