On Wed, Mar 21, 2018 at 8:34 PM, Torsten Lodderstedt < tors...@lodderstedt.net> wrote:
> The AS MUST take precautions to prevent this threat. > Based on its risk assessment the AS needs to decide whether > it can trust the redirect URI or not and should only automatically > redirect the user agent, if it trusts the redirect URI. If not, it could > inform the user that it is about to redirect her to the another site > The "...and should..." and "...it could inform..." don't directly line up with the MUST at the beginning of that paragraph. It makes the MTI precautions only and the rest is optional. If that's desired, OK, but I'd suggest using all caps to make that clear -- MAY/OPTIONAL or MUST/REQUIRED or SHOULD/RECOMMENDED
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth