This applies to 4.1.1 and 4.2.1 only. It must be required in 4.1.3 is must match the location actually used by the server to deliver the code to (regardless of whether the redirection uri was registered or included explicitly with the request).
EHL From: [email protected] [mailto:[email protected]] On Behalf Of Mike Jones Sent: Friday, May 27, 2011 2:08 PM To: [email protected] Subject: [OAUTH-WG] Question on action item to make RedirectURI optional The minutes from the special meeting included: TODO: Eran to add extensibility language for this based on requirements. - "RedirectURI" should be optional TODO: Eran to send mail to the list proposing language changes to either change this from REQUIRED to OPTIONAL and add clarifying language, or leave as required and add a pre-defined value for "we're not actually using this". Is this proposed change just limited to section 4.5? It seems to make sense to have redirect_uri be optional in section 4.1.3 as well (access token request using grant_type authorization code). Since this request is made directly from the client to the authorization server, I don't see why this would be required. For at least some implementations of the 3-legged flow, it would make sense to not have this be a requirement. Comments? Thanks, -- Mike
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
