[Openid-specs-ab] Question to Google about redirect_uri parameter in authorization request

Justin Richer jricher at mitre.org
Tue Dec 4 21:10:47 UTC 2012


On 12/04/2012 04:02 PM, Breno de Medeiros wrote:
> On Tue, Dec 4, 2012 at 12:45 PM, Brian Campbell
> <bcampbell at pingidentity.com> wrote:
>> On Tue, Dec 4, 2012 at 12:50 PM, Breno de Medeiros <breno at google.com> wrote:
>>>> Putting this requirement into Connect introduces a different kind of
>>>> variation all together. Whether or not the parameter is required (under
>>>> the
>>>> particular circumstance of a single registered redirect uri) would
>>>> depend on
>>>> if you are doing plain old OAuth or if you are doing Connect. That seems
>>>> even worse IMHO and will certainly be a pain to support.
>>> I doubt. You can simply supply the redirect_uri to an OAuth2 library.
>>> They need to support it.
>>>
>> I was talking about it being a pain to support as an AS that already does
>> 'standard' OAuth.
> No -- compliant AS should require no changes.

Not true - OIDC adds a further requirement check beyond what OAuth 
requires. Servers will have to implement this logic specifically to 
support OIDC.

I agree that we should keep the same logic that OAuth uses, that 
redirect_uri is an optional parameter in certain circumstances.

  -- Justin


More information about the Openid-specs-ab mailing list