Correct. If the user has to approve the response, then it doesn't function as an open redirector. I'm only worried about returning an error immediately.
On Jul 26, 2010, at 10:29 AM, Marius Scurtescu wrote: > On Mon, Jul 26, 2010 at 5:07 AM, Richer, Justin P. <jric...@mitre.org> wrote: >> And this is even a bigger potential problem when you combine it with >> unregistered or dynamically-registered clients, which we know some instances >> are going to support. In these cases, though, it's hard to trust *any* URL >> that the client is asking for, even for valid responses. > > The user must approve a valid response, so it should not work as a > redirector. Right? > > An immediate mode will only work if the user explicitly approved at > least once in the past. > > Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
