[Openid-specs-ab] Question to Google about redirect_uri parameter in authorization request

Brian Campbell bcampbell at pingidentity.com
Wed Dec 5 17:13:06 UTC 2012


It was not intended as a personal flame and I apologize if it was
interpreted that way. I was trying to request that you show others
(myself in particular) the baseline level of respect of taking the
time to understand a point of view before dismissing it in a terse and
condescending way. Perhaps some of my frustration with the direction
of this thread came though in the last message and I'm sorry for that.

The thread was originally intended to invoke a larger discussion on
the security and interoperability considerations of treatment of the
redirect_uri parameter. Actually, to be honest, I didn't think that
any discussion was necessary but clearly I was wrong there.

Clearly we see things differently here. I don't think the way OAuth2
deals with redirect_uri parameter is so bad and I favor consistency
between the two very closely related specification suites. If I
understand correctly, you think it is bad enough to warrant different
treatment of the same condition at the Connect layer. We disagree and
I don't believe either view is demonstratively correct so I defer to
the WG and editors to decide.


More information about the Openid-specs-ab mailing list