> -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Eran Hammer-Lahav > Sent: Tuesday, September 20, 2011 3:13 PM
> > 3.1.1 Response Type > > > > The response_type parameter is REQURED but its absence SHOULD result > > in an error. Why not MUST? Changes to MUST. > > 3.1.2.4 Invalid Endpoint > > > > "The authorization server SHOULD NOT redirect...". Why isn't this a > > MUST NOT? > > I'm ok with MUST NOT - any objections? This one is actually tricky. I don't like the current text (mine) because untrusted is a useless qualifier here. The point is that redirecting to unregistered endpoints can lead to the abuse of the endpoint as an open redirector. Because we actually support unregistered callbacks, we can't say MUST NOT. I am removing the 'untrusted' part but leaving the SHOULD NOT as is. EHL _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
