The OAuth spec is somewhat silent about how a resource provider should perform a redirect as there are many ways to accomplish the redirect. We also discovered that since the HTTP specifications were somewhat vague on fragments that some HTTP client implementations strip the fragment, we have the case in our implementation of WinINET.
So would like to propose that wording be added in 2.1.1 to the effect that "There are many ways to perform the redirection and the fact that some HTTP client implementations strip the fragment so take this into consideration when choosing a redirect technology." It might be also good to add an example of a different style redirect as I believe all the samples use 302 .
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
