On Fri, Apr 29, 2011 at 11:21 AM, Doug Tangren <d.tang...@gmail.com> wrote:
> Is this required or not? In the example > http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-3.1 it's listed > in the example but not itemized as optional or required. It's not in the > example for refreshing tokens > http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-6 though that > section links back to section 3.1 which does use a redirect_uri in the > example. > > Should the redirect_uri be a requirement for client authentication or is it > optional? > It should be required when exchanging an authorization code for a refresh token. This provides a defense against authorization codes which have leaked due to open redirectors. It should not be present under other circumstances.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
