I was also thinking providers could specify a redirect_url on their own domain,
such as
http://www.kiva.org/oauth/callback/oob
But an urn or custom scheme (either is fine) that everyone can agree upon would
my preference, primarily to reduce developer confusion, but similarly for the
potential of false redirects that Eran mentions.
On Jan 28, 2011, at 8:34 PM, Eran Hammer-Lahav wrote:
> If like many people, URN's give you an allergic reaction, you can also
> consider:
>
> http://oauth.net/2.0/redirection/oob
>
> Or something like that. The advantage of the URN is that if the server
> doesn't support this, it doesn't end up sending the user to oauth.net... ;-)
>
> EHL
>
>> -----Original Message-----
>> From: Marius Scurtescu [mailto:[email protected]]
>> Sent: Friday, January 28, 2011 11:25 AM
>> To: Eran Hammer-Lahav
>> Cc: OAuth WG
>> Subject: Re: [OAUTH-WG] Native Client Extension
>>
>> On Fri, Jan 28, 2011 at 10:25 AM, Eran Hammer-Lahav
>> <[email protected]> wrote:
>>> -12 3.1.1:
>>>
>>> The redirection URI MUST be an absolute URI and MAY include a query
>>> component, which MUST be retained by the authorization server when
>>> adding additional query parameters.
>>>
>>> 'oob' is not an absolute URI.
>>
>> Good point, I missed the absolute part. Thanks for pointing this out.
>>
>> Let me think about it, the URN you suggested is a good start.
>>
>> Marius
> _______________________________________________
> OAuth mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
