[Openid-specs-ab] Additional issues with redirect
Richer, Justin P.
jricher at mitre.org
Sat May 19 00:17:47 UTC 2012
As I read things, I see it as an error as well. I can see the point in relaxing, since it would mean less to remember for both client and AS, but I think it's clearer if there's one code path, and only one path, to take if the client sends the redirect_uri to the authz endpoint.
I feel like this needs flowcharts or something. Maybe I'll try to draw them up for the group sometime here.
From: John Bradley [ve7jtb at ve7jtb.com]
Sent: Friday, May 18, 2012 5:41 PM
To: Richer, Justin P.
Cc: <openid-specs-ab at lists.openid.net>
Subject: Re: [Openid-specs-ab] Additional issues with redirect
What is your interpretation opt OAuth where:
1: the client registers multiple redirect_uri.
2: The client senda a redirect_uri in authz request with query paramaters.
3: The authz server matches the redirect URI with one of the registered ones up to the query string.
4: The client makes a request to the token endpoint without a redirect_uri
Is this fine or an error.
My reading of the OAuth Draft implies that this should return an error.
Though from a security point of view the authz server matching the first time should be sufficient.
This is needs to be clear for interop. If a client only registers one redirect_uri and simply sends a redirect_uri in the request to maintain some state in a query parameter, should it be forced to remember that parameter and sent it in the request to the token endpoint?
More information about the Openid-specs-ab