[Openid-specs-ab] Question to Google about redirect_uri parameter in authorization request

Brian Campbell bcampbell at pingidentity.com
Tue Dec 4 17:30:14 UTC 2012


Sorry for the re-post - I wanted to send this with Breno and Naveen
directly in the distribution list to increase the likelihood that they'd
actually see it (but forgot the first time).

---------- Forwarded message ----------
From: Brian Campbell <bcampbell at pingidentity.com>
Date: Tue, Dec 4, 2012 at 10:17 AM
Subject: Question to Google about redirect_uri parameter in authorization
request
To: "<openid-specs-ab at lists.openid.net>" <openid-specs-ab at lists.openid.net>


Hey Breno and/or Naveen,

Would you guys be OK with relaxing the Connect specs to allow the
redirect_uri parameter to be omitted from an authorization request when
only one redirect_uri is registered for the given client?

The reason I'm asking it that the Connect specs are more strict about the
redirect_uri parameter than the base OAuth spec and I'd submitted at ticket
[1] requesting that Connect align with the RFC that it extends from. The
Connect editors have said the added constraint on the parameter was placed
there because it's how the the Google implementation worked and asked me to
follow up with you guys [2] to understand why you were requiring it and if
it is OK to relax that requirement in the Connect specs.

Can you shed some light on that decision and/or just give the to make the
change at the spec level?

Thanks in advance,
Brian


[1]
https://bitbucket.org/openid/connect/issue/669/inconsistent-treatment-of-redirect_uri

[2]
http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20121203/002612.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20121204/dec2d924/attachment-0001.html>


More information about the Openid-specs-ab mailing list