[Openid-specs-ab] Question to Google about redirect_uri parameter in authorization request
bcampbell at pingidentity.com
Thu Dec 6 22:18:44 UTC 2012
Sorry for the slow response. Responses inline.
On Wed, Dec 5, 2012 at 5:50 PM, Mike Jones <Michael.Jones at microsoft.com>wrote:
> Brian, is the current inconsistency within the Connect specs that you've
> identified in this sentence in
> http://openid.net/specs/openid-connect-standard-1_0.html#anchor9: "Ensure
> that the redirect_uri parameter is present if the redirect_uri parameter
> was included in the initial Authorization Request and that their values are
> identical for the Scheme, Host, Path, and Query Parameter segments"? If
> the phrase "if the redirect_uri parameter was included in the initial
> Authorization Request" were deleted, would the Connect specs then be
> self-consistent, in your view?
As far as it's requiredness on the authorization and token requests, I
think that would do it (with a little wordsmithing on that statement
anyway). Looking at all the places I referenced in the ticket, I thought
it was a mistake and I guess I was really expecting it would be changed to
> Or are you also concerned that this language in
> http://openid.net/specs/openid-connect-registration-1_0.html#anchor3would be inconsistent: "redirect_uris - RECOMMENDED for Clients using the
> code flow with a query parameter encoded response. REQUIRED for Clients
> requesting implicit flow fragment encoded responses as defined in OAuth 2.0
> [OAuth2.0]. A space-delimited list of redirect URIs. One of the URL MUST
> match the Scheme, Host, and Path segments of the redirect_uri in the
> authorization request."? Or do people also believe that registering
> redirect_uris should always be REQUIRED?
I don't know the reasoning for having it that way so can't really comment
on if registering redirect_uris should always be required. It is maybe a
little awkward that it's sort of optional there in registration but text
like "The Scheme, Host, Path, and Query Parameter segments of this URI MUST
match one of the redirect_uris registered for the client_id in the OpenID
Connect Dynamic Client Registration
http://openid.net/specs/openid-connect-standard-1_0.html#rf_prep sort of
read as though a client will always have uris registered. That text also
could potentially be interpreted as a hard dependency of standard on
dynamic registration but maybe I'm being too nit-picky...
> Thanks all,
> -- Mike
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab