Hi All,

While trying out the OAuth 2.0 authorization code grant type with Google, I
got the following response to my registered redirect_uri.

https://localhost:9000/app_uri?*state*=caf324471khs872&%20*code*
=4/5wFzvDar86R-AJWCIE&%20*scope*=profile%20openid%20
https://www.googleapis.com/auth/userinfo.profile&%20*authuser*=0&%20*prompt*
=consent

As per the RFC6749 section 4.1.2, the authorization response from the
authorization endpoint only includes code and state.

Appreciate if you can share any insights on why Google adds scope, authuser
and prompt parameters to the response, which are not in the OAuth 2.0 RFC -
and do we consider those additional parameters as a violation of the
RFC6749?

Thanks!
-Alex
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to