Nat, > All the request parameters MUST be provided through request file.
"All" doesn't make much sense if params can still appear in the URI, and override the file. > The "request_url" MUST be provided in the URL. This isn't really a "MUST", its just indicates if you are using this feature (this "flow"). Would be good to say "A request_url param MUST NOT be provided in a request file". Probably good to add "A request file MUST be rejected if it includes a request_url param". > I am still not sure if "type" MUST be provided in the URL. > Conceptually, it need not be there. It depends on how implementors feel. > Any other parameters MAY be provided in the URL to override what is in the > request_file, I agree. > but the URL total length MUST NOT exceed 512 bytes. That is reasonable. -- James Manger _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth