On Mon, May 17, 2010 at 8:53 AM, Marius Scurtescu <mscurte...@google.com>wrote:
> On Mon, May 17, 2010 at 8:29 AM, Evan Gilbert <uid...@google.com> wrote: > > I'd like to get a standard for redirect URI matching, but think this may > not > > be feasible - we are leaving the callback URI registration mechanism > > undefined and I've heard a number of different mechanisms that companies > > want to support. > > I think we should leave the matching undefined, possibly with a SHOULD > for > > the most common matching mechanism (URL prefix?) > > > > I'm not hugely worried about incompatibilities between different AS on > this > > front: > > 1. Clients will push us strongly towards compatible implementations. > > 2. Clients can always set up a redirector if needed for a specific AS (as > an > > aside - we need a document detailing how to build a redirector properly > > without becoming an open redirector). > > Isn't this saying that clients can always implement strict matching > and live with that? Why not require it then? > No, don't think so. Clients will use redirect behavior that works with their current provider, and deal with strict matching when/if it comes up. I'm pretty sure that norms will evolve, but also pretty sure that we won't agree right now. > > Marius >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
