On Mon, Jul 26, 2010 at 5:07 AM, Richer, Justin P. <[email protected]> wrote: > And this is even a bigger potential problem when you combine it with > unregistered or dynamically-registered clients, which we know some instances > are going to support. In these cases, though, it's hard to trust *any* URL > that the client is asking for, even for valid responses.
The user must approve a valid response, so it should not work as a redirector. Right? An immediate mode will only work if the user explicitly approved at least once in the past. Marius _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
