On Tue, May 11, 2010 at 11:31 PM, Luke Shepard <lshep...@facebook.com>wrote:
> FWIW, Facebook does not do strict equality matching on redirect_uri. We > accept any redirect_uri that has either: > > - its prefix is the registered url > - or it is a special facebook.com/xd_proxy.php url, with an origin > parameter that has a prefix on the registered url > > I think that the spec should leave the matching up to the server. If the matching is left to an arbitrary, server defined algorithm, we lose interop since a client implementation may make assumptions on what may be allowed in the redirect_uri at one AS and then not be able to work with another AS that is more restrictive. As this is a security feature, I'd like to hear the options from the security oriented participants with experience here. Allen / Brian?
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
