wrt section 4.1.3
The redirect_uri parameter should at least be required if the authz
server sent the authorization code to a redirect_uri passed in by the
client into the authorization request.
In this case, the authorization server must bind this uri to the authz
code and require the client to pass the same uri to the tokens endpoint
again. This way, the authz server is able to detect authorization code
theft by an intermediary server (which would need to use a different uri
than the legitimate client).
regards,
Torsten.
Am 27.05.2011 23:08, schrieb Mike Jones:
The minutes from the special meeting included:
TODO: Eran to add extensibility language for this based on requirements.
- "RedirectURI" should be optional
TODO: Eran to send mail to the list proposing language changes to
either change this from REQUIRED to OPTIONAL and add clarifying
language, or leave as required and add a pre-defined value for "we're
not actually using this".
Is this proposed change just limited to section 4.5? It seems to make
sense to have redirect_uri be optional in section 4.1.3 as well
(access token request using grant_type authorization code). Since
this request is made directly from the client to the authorization
server, I don't see why this would be required. For at least some
implementations of the 3-legged flow, it would make sense to not have
this be a requirement.
Comments?
Thanks,
-- Mike
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
