4.3 would be the wrong behavior. I think it should just be an informative page
to let the end-user know something broke.
New text:
If the request fails due to a missing or invalid redirection URI, the
authorization
server SHOULD inform the end-user of the error, and MUST NOT redirect
the end-user's
user-agent to the invalid redirection URI.
EHL
> -----Original Message-----
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> Of Nick Walker
> Sent: Tuesday, November 16, 2010 3:45 PM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] section 3.2 error in draft-ietf-oauth-v2-10
>
> In section 3.2 of draft-ietf-oauth-v2-10:
>
> "... if the request is invalid, the authorization server informs
> the client by adding the following parameters to the redirection
> URI query component ..."
>
> This leads to issuing an HTTP 302 response with an invalid Location header if
> the redirect_uri parameter is missing or invalid.
>
> I believe the correct behavior in this case is the same as in section 4.3.
>
> Nick
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
