Hi Section 3.2 [1] mentions that "If the algorithm is registered, the server MUST reject any request that does not conform to the algorithm"
I wonder is this text adds anything extra in addition to what Section 3.7 [2] says where the server is required to reject the request if the verifier and the challenge do not match ?
I don't understand how registering the supported algorithms helps given that the client only provides a code_verifier
Thanks, Sergey [1] http://tools.ietf.org/html/draft-sakimura-oauth-tcse-03#section-3.2 [2] http://tools.ietf.org/html/draft-sakimura-oauth-tcse-03#section-3.7 _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
