On Thu, Aug 02, 2018 at 11:41:05AM -0700, William Denniss wrote:
> Alissa,
>
> Thank you for your review. Replies inline:
>
> On Tue, Jul 31, 2018 at 8:58 AM, Alissa Cooper <ali...@cooperw.in> wrote:
>
> >
> > Section 3.3:
> >
> > "It is NOT RECOMMENDED for authorization servers to include the user
> > code in the verification URI ("verification_uri"), as this increases
> > the length and complexity of the URI that the user must type."
> >
> > I don't fully understand the justification for the normative requirement
> > here.
> > The user ultimately ends up typing in both strings, right? Is it so much
> > more
> > complex to type them both into a browser bar contiguously than to type the
> > uri
> > into the browser bar and the code into some form field on the page such
> > that
> > the normative requirement is warranted?
> >
>
> Yes, the user will need to type both strings regardless.
>
> The main reason for the recommended separation is that the URI can't be
> validated/corrected – either they type it correctly and they get to the
> page, or they don't. But for the user-code, the page can display an error
> if the user types it wrong. The belief is that it's a better user
> experience that they get to the page, and then continue the input from
> there rather than get browser errors if they typed the user-code part of
> the URI wrong.
I am hardly a URI expert, so salt as appropriate, but if the user code was
in the query string, would the server still be able to generate a useful
error page if the user code was typed incorrectly?
-Benjamin
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
