we need to distinguish (1) the registration of a redirect uri template for the purpose of validating the actual redirect uri of an authorization transaction and the (2) registration of the redirect uri to be used in all authorization requests of a client. In the later case, there is no need for the pass a redirect uri with every authz request.
Is OAuth supposed to support (2)? regards, Torsten. Doug Tangren <[email protected]> schrieb: -Doug Tangren http://lessis.me On Sun, May 29, 2011 at 12:41 PM, Torsten Lodderstedt <[email protected]> wrote: why must the redirect_uri be validated if it is pre-registered and not included in the authorization request? I think the preregistered redirect_uri may only require the core components of where the user will be redirected to after authorization The authorization server SHOULD require the client to pre-register their redirection URI or at least certain components such as the scheme, host, port and path. If a redirection URI was registered, the authorization server MUST compare any redirection URI received at the authorization endpoint with the registered URI. - http://tools.ietf.org/html/draft-ietf-oauth-v2-16#section-2.1.1 What you pre-register determines how you would match the provided requests' redirect_uris. It's explicitly required for an explicit location to redirect to on a request by request basis. The exact match in 4.1.3 is required to have a binding between the first and second request in the auth code flow. I think the idea behind a pre-registered redirect_uri was to limit where credentials will be sent to after authorization. In oauth1 someone could supply a redirection "callback" to a completely different for every request.
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
