[Openid-specs-ab] Additional issues with redirect
ve7jtb at ve7jtb.com
Fri May 18 21:41:08 UTC 2012
What is your interpretation opt OAuth where:
1: the client registers multiple redirect_uri.
2: The client senda a redirect_uri in authz request with query paramaters.
3: The authz server matches the redirect URI with one of the registered ones up to the query string.
4: The client makes a request to the token endpoint without a redirect_uri
Is this fine or an error.
My reading of the OAuth Draft implies that this should return an error.
Though from a security point of view the authz server matching the first time should be sufficient.
This is needs to be clear for interop. If a client only registers one redirect_uri and simply sends a redirect_uri in the request to maintain some state in a query parameter, should it be forced to remember that parameter and sent it in the request to the token endpoint?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4937 bytes
Desc: not available
More information about the Openid-specs-ab