"The authorization server redirects the user-agent to the
client's redirection URI previously established with the
authorization server during the client registration process."
Conflicts with section 3.1.2.3, which allows to pass a redirect_uri via
URI query parameter.
3.1.2.1 Endpoint Confidentiality
What does "endpoint" confidentiality mean? Which endpoint does this text
refer to? The client's redirect_uri endpoint?
The text, in my opinion, covers two different scenarios:
first paragraph: confidentiality of access tokens and authz codes in
transit.
second paragraph/last sentence: men-in-the-middle attacks
Those attacks are also covered in sections 10.5 and 10.8.
3.1.2.5. Endpoint Content
As this section discusses security aspects of the client's
implementation of the redirect_uri page, shouldn't this go to the
security considerations section?
regards,
Torsten.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
