Under existing specifications (RFC 6749, OIDC Core 1.0 and FAPI), a client
can choose an arbitrary redirect_uri without registering it only when all
the following conditions are satisfied.
1. The client type of the client is "confidential". (RFC 6749 Section
3.1.2.2 requires that public clients
Good point Denis, thanks
The OAuth 2.1 authorization framework enables a*n* *third-party*
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing
Here is my proposal for the new section:
2.4. redirect_uri Management
The OAuth Security BCP [I-D.ietf-oauth-security-topics] as well as OAuth 2.1
[I-D.ietf-oauth-v2-1] require an AS to excactly match the redirect_uri
parameter against the set of redirect URIs previously established for a
Hello Dima,
Not exactly.
Change :
or by allowing the third-party application
into:
or by allowing the application
Denis
Thank everyone for your feedback.
So the abstract could look like this:
The OAuth 2.1 authorization framework enables a*n**third-party* application
to obtain
Thank everyone for your feedback.
So the abstract could look like this:
The OAuth 2.1 authorization framework enables a*n* *third-party*
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the
