In the Web Callback Flow, section 3.4.1.2 requires the client to pass the "callback" parameter back a second time.
Why? I believe this is supposed to be there to prevent session fixation attack, but I don't see an attack vector where the verification code is not sufficient to prevent things. It seems redundant and confusing, and I'd like to remove it (I believe this was proposed on a separate thread)
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
