Registration : redirect_uris changed by server

Issue #1016 resolved
Edmund Jay created an issue

In section 3.2 Client Registration Response :

The Authorization Server MAY reject or replace any of the Client's requested field values and substitute them with suitable values. 
If this happens, the Authorization Server MUST include these fields in the response to the Client.

There is no provision that states that redirect_uris must be echoed back to the client. If the server changes any of the redirect_uris, what does the client do?

There is no provision for the client to check that the redirect_uris are the same as what was sent in the request. Theoretically, clients could end up with a client_ids that don't work.

Comments (3)

  1. Tom Jones

    Since the redicrect_uris originate with the RP (client) during registration I do not believe that any other server should be allowed to substitute them.

  2. Log in to comment