[Openid-specs-ab] Question to Google about redirect_uri parameter in authorization request

Breno de Medeiros breno at google.com
Wed Dec 5 00:41:18 UTC 2012

It's my reading of the OAuth2 spec that servers shouldn't break if
passed a redirect_uri on the authorization step. OTOH OAuth2 is an
spec with 'loose' interoperability targets. And that's ultimately the
motivation why OIDC needs often to go beyond OAuth2 specifications.
You don't have interoperability with OAuth2.

On Tue, Dec 4, 2012 at 1:10 PM, Justin Richer <jricher at mitre.org> wrote:
> On 12/04/2012 04:02 PM, Breno de Medeiros wrote:
>> On Tue, Dec 4, 2012 at 12:45 PM, Brian Campbell
>> <bcampbell at pingidentity.com> wrote:
>>> On Tue, Dec 4, 2012 at 12:50 PM, Breno de Medeiros <breno at google.com>
>>> wrote:
>>>>> Putting this requirement into Connect introduces a different kind of
>>>>> variation all together. Whether or not the parameter is required (under
>>>>> the
>>>>> particular circumstance of a single registered redirect uri) would
>>>>> depend on
>>>>> if you are doing plain old OAuth or if you are doing Connect. That
>>>>> seems
>>>>> even worse IMHO and will certainly be a pain to support.
>>>> I doubt. You can simply supply the redirect_uri to an OAuth2 library.
>>>> They need to support it.
>>> I was talking about it being a pain to support as an AS that already does
>>> 'standard' OAuth.
>> No -- compliant AS should require no changes.
> Not true - OIDC adds a further requirement check beyond what OAuth requires.
> Servers will have to implement this logic specifically to support OIDC.
> I agree that we should keep the same logic that OAuth uses, that
> redirect_uri is an optional parameter in certain circumstances.
>  -- Justin


More information about the Openid-specs-ab mailing list