[Openid-specs-ab] Is it SHOULD or MUST?

Nat Sakimura sakimura at gmail.com
Sun Jun 2 01:09:22 UTC 2013


In the 2nd paragraph of
2.2.6.1.  End-User Grants Authorization
of Standard, it states:

Note that if the response_type parameter in the Authorization Request
includes the string value token or id_token, all response parameters SHOULD
be added to the fragment component of the redirection URI. Otherwise, the
response parameters are added to the query component of the redirection URI.

Is it SHOULD? Is it not MUST?
SHOULD means that it can be sent otherwise, e.g., as query string.

-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130602/1e40c213/attachment.html>


More information about the Openid-specs-ab mailing list