- marked as trivial
Response parameter encoding of "None" Case
Issue #399
wontfix
oauth-v2-multiple-response-types-1_0.xml
Session 4 Any parameters added to the redirect_uri should be query encoded. This applies to both successful responses and error responses.
Why the response parameters are query encoded only this case? Like other cases defined in this spec, I think that it should be returned as fragment.
Comments (2)
-
-
- changed status to wontfix
-
assigned issue to
John Bradley
- Log in to comment
The flow 'none' is used in market-type installation-time-approval-prompt scenarios where the page starting the flow is not the intended application to receive it.
At most the receiving application need to detect that the user has completed the task (i.e., a 'yes', 'no', or 'quit' indicator). If the application can obtain this information through means other than a redirect (e.g., window closing), it doesn't need to use the redirect_uri at all.
Given that it's a one-time setup process, it does not involve the transmission of sensitive information, and may be implemented without redirects (to prevent post-approval page reloads), we think there is no motivation for fragment encoding, and query encoding is usually easier to implement.