Hi Torsten, As we briefly spoke about earlier, "3.8.1. Authorization Server as Open Redirector" could I think be made more explicit.
Currently it explicitly mentions the invalid_request and invalid_scope errors must not redirect back to the client's registered redirect uri. https://tools.ietf.org/html/rfc6749#section-4.1.2.1 defines several more potential errors that appear to fall into the same category. I understand to block the attack fully we need 'must not redirect's for all the kinds of error that could cause an automatic redirect back to the client's registered redirect uri without any user interaction - 'unauthorized_client' and 'unsupported_response_type' seem to fall into that category. 'server_error' also seems dodgy (I would wager that on some servers that are known ways to provoke server errors), and I would have doubts about 'temporarily_unavailable' too. Thanks Joseph
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth