On Mon, Jul 18, 2011 at 11:32 PM, Eran Hammer-Lahav <e...@hueniverse.com>wrote:
> > > > -----Original Message----- > > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Eliot Lear > > Sent: Sunday, July 17, 2011 2:49 AM > > > One other point: if the redirection_uri can have fragments and can be > > provided, why is state necessary? > > First, I assume you mean query instead of fragment. > > This was discussed on the list about a year ago. There isn't a requirement > to support both dynamic redirection URIs as well as a special state > parameter. However, the state parameter provides a better way to allow > customization of the redirection request alongside full registration of the > redirection URI. Section 3.1.2 recommends using the state parameter over > changing the redirection URI itself. > > Using state is much simpler because the authorization server does not have > to implement potentially insecure URI comparison algorithms for dynamic > redirection URIs. > Agree -- for instance, Google's provider doesn't allow arbitrary dynamic specification of query or fragment parameters in redirect URIs, for instance, due largely to security considerations. > > EHL > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Breno de Medeiros
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
