redirect_uri definition contradiction in docs
Issue #1153
resolved
At point “3.1.2.1. Authentication Request” specifies that the “redirect_uri“ is REQUIRED.
But at “3.1.3.2. Token Request Validation” says : “If the redirect_uri
parameter value is not present when there is only one registered redirect_uri
value, the Authorization Server MAY return an error (since the Client should have included the parameter) or MAY proceed without an error (since OAuth 2.0 permits the parameter to be omitted in this case).” This sentence makes the field OPTIONAL.
Comments (2)
-
-
- changed status to resolved
Joseph's description of the intent of the spec is accurate.
- Log in to comment
Not necessarily a contradiction:
Clients are required to supply redirect_uri.
Servers are allowed to (but not required to) proceed even if redirect_uri is missing, which is following the general “be strict in what you send, be generous in what you accept” principle often referenced by the IETF/RFCs.