Section 4.1.3 (v12) says:
The authorization server MUST:
o Validate the client credentials and ensure they match the
authorization code.
o Verify that the authorization code and redirection URI are valid
and match its stored association.
The ³stored association² does not appear to be referenced elsewhere in the
document, and it¹s not clear to me what association is intended, or when it
should be established. A cursory search of the archives of this list has not
provided a conclusive explanation; my apologies if I¹ve missed something.
Thanks,
Mark.
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
