On Mon, Apr 27, 2020 at 12:58:09PM -0400, Justin Richer wrote: > I agree that any URI could be used but that it MUST be understood by the AS > to be local to the AS (and not something that can be impersonated by an > attacker). I wouldn’t even go so far as RECOMMENDED, but it’s certainly an > option.
IIUC BCP 190 has similar thoughts on the matter... -Ben _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
