I'd like to get a standard for redirect URI matching, but think this may not
be feasible - we are leaving the callback URI registration mechanism
undefined and I've heard a number of different mechanisms that companies
want to support.
I think we should leave the matching undefined, possibly with
On Sun, May 16, 2010 at 11:20 AM, Dick Hardt dick.ha...@gmail.com wrote:
If the matching is left to an arbitrary, server defined algorithm, we lose
interop since a client implementation may make assumptions on what may be
allowed in the redirect_uri at one AS and then not be able to work with
On Tue, May 11, 2010 at 11:31 PM, Luke Shepard lshep...@facebook.comwrote:
FWIW, Facebook does not do strict equality matching on redirect_uri. We
accept any redirect_uri that has either:
- its prefix is the registered url
- or it is a special facebook.com/xd_proxy.php url, with an origin