The discussion yesterday was about the redirect_uri parameter at the token endpoint, not at the authorization endpoint.
The redirect_uri parameter at the authorization endpoint is currently: * optional if the client has only one redirect URI registered * required if the client has multiple redirect URIs registered The redirect_uri parameter at the token endpoint is currently: * required if the authorization request included the redirect_uri parameter, and optional otherwise The discussion yesterday led to the conclusion that making any changes to the parameter at the token endpoint in either direction (either always required or omitting it entirely) would lead to worse interoperability. Aaron On Wed, Jul 27, 2022 at 9:38 AM Warren Parad <wparad= 40rhosys...@dmarc.ietf.org> wrote: > Can you explain why you think: >> >> But definitely cannot be both (as in the present definition). > > > From a theoretical perspective, of course it can be. But perhaps there is > a concrete reason you think otherwise, I think it would be prudent to share > that context explicitly with an explanation here. That way we aren't > opening old conversations in the middle of the meeting, and also it lets us > be prepared to understand the perspective without having to dive in on the > spot. > > On Wed, Jul 27, 2022 at 2:42 PM Jaimandeep Singh <jaimandeep.phdcs21= > 40nfsu.ac...@dmarc.ietf.org> wrote: > >> Dear Aaron, >> >> 1. Yesterday you brought up an important issue of choosing "redirect_uri" >> to be REQUIRED vs OPTIONAL parameter at the authorization code endpoint. >> The esteemed members had their considered opinion that the definition >> should remain as it is. >> >> 2. However, I am of the opinion that an important parameter like >> "redirect_uri" needs to be more clearly defined. It can either be OPTIONAL >> or REQUIRED, but definitely cannot be both (as in the present >> definition). Maybe Aaron can bring up the topic again for discussion in the >> side meeting for further deliberations. >> >> Regards >> Jaimandeep Singh >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
