why must the redirect_uri be validated if it is pre-registered and not
included in the authorization request?
regards,
Torsten.
Am 29.05.2011 18:20, schrieb Eran Hammer-Lahav:
This applies to 4.1.1 and 4.2.1 only. It must be required in 4.1.3 is
must match the location actually used by the server to deliver the
code to (regardless of whether the redirection uri was registered or
included explicitly with the request).
EHL
*From:*[email protected] [mailto:[email protected]] *On
Behalf Of *Mike Jones
*Sent:* Friday, May 27, 2011 2:08 PM
*To:* [email protected]
*Subject:* [OAUTH-WG] Question on action item to make RedirectURI optional
The minutes from the special meeting included:
TODO: Eran to add extensibility language for this based on requirements.
- "RedirectURI" should be optional
TODO: Eran to send mail to the list proposing language changes to
either change this from REQUIRED to OPTIONAL and add clarifying
language, or leave as required and add a pre-defined value for "we're
not actually using this".
Is this proposed change just limited to section 4.5? It seems to make
sense to have redirect_uri be optional in section 4.1.3 as well
(access token request using grant_type authorization code). Since
this request is made directly from the client to the authorization
server, I don't see why this would be required. For at least some
implementations of the 3-legged flow, it would make sense to not have
this be a requirement.
Comments?
Thanks,
-- Mike
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
