Making it a specific error code rather than just an error message suggests that the client can do something with that information. That doesn’t seem likely to me. It’s most likely caused by a misconfiguration that somebody needs to manually sort out rather than something that can be automatically corrected, so I don’t see a reason for this to get its own error code.
— Neil > On 2 Dec 2020, at 23:28, Brian Campbell > <[email protected]> wrote: > > > During the course of a recent OIDF FAPI WG discussion (the FAPI profiles use > PAR for authz requests) on this issue it was noted that there's no specific > error code for problems with the redirect_uri (the example in > https://www.ietf.org/archive/id/draft-ietf-oauth-par-04.html#section-2.3 even > shows a general error code with mention of the redirect_uri not being valid > in the error description). Some folks on that call thought it would be > worthwhile to have a more specific error code for an invalid redirect_uri and > I reluctantly took an action item to raise the issue here. At the time I'd > forgotten that PAR had already passed WGLC. But it's been sitting idle while > awaiting the shepherd writeup since mid September so it's maybe realistic to > think the window for a small change is still open. > > Presumably nothing like an "invalid_redirect_uri" error code was defined in > RFC 6749 because that class of errors could not be returned to the client via > redirection. But the data flow in PAR would allow for a > "invalid_redirect_uri" so it's not an unreasonable thing to do. > > As I write this message, however, I'm not personally convinced that it's > worth making a change to PAR at this point. But I did say I'd bring the > question up in the WG list and I'm just trying to be true to my word. So here > it is. Please weigh in, if you have opinions on the matter. > > > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged > material for the sole use of the intended recipient(s). Any review, use, > distribution or disclosure by others is strictly prohibited. If you have > received this communication in error, please notify the sender immediately by > e-mail and delete the message and any file attachments from your computer. > Thank you._______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth -- ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
