How should an OAuth client app behave when it gets an HTTP redirect on requesting a protected resource?
Similarly, how should it behave when it follows any other link in a response? Obviously it should make a new request to the URI in the redirect or link — that is normal HTTP and hypertext behaviour. The question is does the token get sent with the new request? I think the spec needs to provide an answer, even if it isn’t my suggestion of an “sites” list when a token is issued. -- James Manger
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
