> -----Original Message----- > From: Brian Eaton [mailto:[email protected]] > Sent: Monday, April 19, 2010 8:37 AM > To: Dick Hardt > Cc: Eran Hammer-Lahav; OAuth WG > Subject: Re: [OAUTH-WG] Clarification: authorization server matching of > redirect URI > > On Sun, Apr 18, 2010 at 10:35 PM, Dick Hardt <[email protected]> wrote: > > The spec should describe how the redirect URI is verified to what is > registered. I can enumerate the options for discussion adding in the state > parameter as an option. > > Note that there are two spots where the AS does some URI matching. > > The first is before redirecting the user to the callback URI. This seems > doomed to being service provider specific, unfortunately.
I agree. If someone wants to suggest some security consideration text that would be good. > The second is when exchanging the verification code for the refresh token > and access token. This can always be a string equality match. It should be a case-sensitive string comparison with the value provided by the client in the first step. EHL _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
