-Doug Tangren http://lessis.me
On Sun, May 29, 2011 at 12:41 PM, Torsten Lodderstedt < [email protected]> wrote: > why must the redirect_uri be validated if it is pre-registered and not > included in the authorization request? > I think the preregistered redirect_uri may only require the core components of where the user will be redirected to after authorization The authorization server SHOULD require the client to pre-register their redirection URI or at least certain components such as the scheme, host, port and path. If a redirection URI was registered, the authorization server MUST compare any redirection URI received at the authorization endpoint with the registered URI. - http://tools.ietf.org/html/draft-ietf-oauth-v2-16#section-2.1.1 What you pre-register determines how you would match the provided requests' redirect_uris. It's explicitly required for an explicit location to redirect to on a request by request basis. The exact match in 4.1.3 is required to have a binding between the first and second request in the auth code flow. I think the idea behind a pre-registered redirect_uri was to limit where credentials will be sent to after authorization. In oauth1 someone could supply a redirection "callback" to a completely different for every request.
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
