Section 3.1.2. of RFC6794 [0] says that: The redirection endpoint URI MUST be an absolute URI as defined by [RFC3986] Section 4.3. The endpoint URI MAY include an "application/x-www-form-urlencoded" formatted (per Appendix B) query component ([RFC3986] Section 3.4), which MUST be retained when adding additional query parameters. The endpoint URI MUST NOT include a fragment component.
What is the reasoning behind this? Would there be security implications other than for query parameters if this was enabled? Or is it related to issues with 3xx redirects and fragments [1]? My google-foo fails me when I search through the archives. Could you please advice? Best regards, Adam Renberg [0]: https://tools.ietf.org/html/rfc6749#section-3.1.2 [1]: http://stackoverflow.com/questions/2286402/url-fragment-and-302-redirects
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
