I struggled w/ this conflict as well during implementation since we also tie
the redirection URI to client identity. However, URI preregistration is not
required by the spec (3.1.1, paragraph 3, so, if a provider's redirect_uri
validation is not dependent on client_id (be it a subset of URIs, or
In "4.1.2.1. Error Response" it says:
If the resource owner denies the access request or if the request
fails for reasons other than a missing or invalid redirection URI,
the authorization server informs the client by adding the following
parameters to the query component of the redirectio
