It seems to me that if one auth server can create tokens for a diverse set
of resource servers, then why not have different user authorization endpoint
URLs for each type of resource server, as an added differentiator for the
scope (a namespace, if you will)?
So suppose one auth server serves two
This is a great point.
Facebook validates that the client_id matches the registered redirect_uri
before giving a redirect error. Otherwise, just display a screen directly
saying that the app is misconfigured. Mis-specifying the redirect_uri is the
type of error that should normally be caught in
