Core - Explicitly Ban 307 as the authorization response redirect

Issue #996 resolved
Nat Sakimura created an issue

It is something that should be dealt within RFC6749 but we may as well note it.

Comments (4)

  1. Brian Campbell

    A 307 is okay as long as it doesn't immediately follow something like the POSTing of credentials to the AS/OP. Not sure, but the note might be better positioned as considerations around when not to use a 307 vs. an outright ban.

  2. Log in to comment