4.3 would be the wrong behavior. I think it should just be an informative page to let the end-user know something broke.
New text: If the request fails due to a missing or invalid redirection URI, the authorization server SHOULD inform the end-user of the error, and MUST NOT redirect the end-user's user-agent to the invalid redirection URI. EHL > -----Original Message----- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Nick Walker > Sent: Tuesday, November 16, 2010 3:45 PM > To: oauth@ietf.org > Subject: [OAUTH-WG] section 3.2 error in draft-ietf-oauth-v2-10 > > In section 3.2 of draft-ietf-oauth-v2-10: > > "... if the request is invalid, the authorization server informs > the client by adding the following parameters to the redirection > URI query component ..." > > This leads to issuing an HTTP 302 response with an invalid Location header if > the redirect_uri parameter is missing or invalid. > > I believe the correct behavior in this case is the same as in section 4.3. > > Nick > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth