[Openid-specs-ab] Question to Google about redirect_uri parameter in authorization request

Brian Campbell bcampbell at pingidentity.com
Wed Dec 5 16:07:52 UTC 2012


On Tue, Dec 4, 2012 at 5:41 PM, Breno de Medeiros <breno at google.com> wrote:
>
> It's my reading of the OAuth2 spec that servers shouldn't break if
> passed a redirect_uri on the authorization step.

Sure but that's not at all what I was talking about. It's fine to
disagree here but please take the time to try understand what is being
said before being condescendingly dismissive of it. Justin followed
the reasoning (thanks BTW Justin) so I don't think it's too much to
ask or that I've been particularly unclear.

> OTOH OAuth2 is an
> spec with 'loose' interoperability targets. And that's ultimately the
> motivation why OIDC needs often to go beyond OAuth2 specifications.
> You don't have interoperability with OAuth2.

Please spare that hyperbole for personal blog posts attacking the
evils of big corporate America. It's a crutch argument that's largely
untrue and any interoperability problems that OAuth 2 might suffer are
certainly not due to the conditional optionality of one request
parameter.


More information about the Openid-specs-ab mailing list