Hi Francis, As much as I would love to require that all authorization requests are initiated via a back channel, that is unfortunately not something that is in scope of the current OAuth 2.1 document.
The OAuth 2.0 Security BCP and this document require strict redirect URI matching, which should help simplify the AS, since simple string matching is sufficient now. ---- Aaron Parecki aaronparecki.com @aaronpk <http://twitter.com/aaronpk> On Wed, Apr 8, 2020 at 3:01 PM Francis Pouatcha <f...@adorsys.de> wrote: > There is a lot of effort associated with the handling and correct > validation of a redirect_uri sent to the AS as part of the front channel > authorization request, as this gets transported by user agents. > > The draft-parecki-oauth-v2-1 as a replacement of RFC 6749 must make sure > redirect_uri is only sent to the AS through the back channel. This of > course requires the implementation of a new "authorization request > initiation endpoint". The draft-ietf-oauth-par-01 provides a guidance on > how to design this initiation endpoint. > > -- > Francis Pouatcha > Co-Founder and Technical Lead at adorys > https://adorsys-platform.de/solutions/ >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
