The way this is usually implemented is that everything but the query is fixed.
EHL From: [email protected] [mailto:[email protected]] On Behalf Of Phil Hunt Sent: Sunday, January 23, 2011 8:45 AM To: [email protected] WG Subject: [OAUTH-WG] Draft 12 - redirection URI >From section 3.1.1 ... The authorization server SHOULD require the client to pre-register their redirection URI or at least certain components such as the scheme, host, port and path. If a redirection URI was registered, the authorization server MUST compare any redirection URI received at the authorization endpoint with the registered URI. Why compare? If the first part is correct, then the pre-registered value SHOULD always be taken. It sounds like the redirection URI is being used like another secret, which it shouldn't be. Also, if redirect_uri is to be accepted at all (not pre-registered), its transmission/use spec'd in a secure way so this paragraph isn't needed. Phil [email protected]<mailto:[email protected]>
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
