what is authenticity and integrity of the redirect URI?

Issue #343 resolved
Brian Campbell created an issue

Baseline has "shall require the redirect_uri parameter in authorization requests and evaluate only this parameter to ensure authenticity and integrity of the redirect URI"

What does "evaluate only this parameter to ensure authenticity and integrity" mean? I don't know and don't know how I'd do it. I'm guessing this text is somehow related to wanting to allow non-static redirect URIs to be sent in authenticated PAR. But I can't tell what it actually means or how one would conform to this (other than requiring the redirect_uri parameter).

Comments (5)

  1. Dave Tonge

    I agree that its a bit confusing. Do we not just need the first part: “shall require the redirect_uri parameter in authorization requests”?

  2. Daniel Fett

    As discussed on the call:

    • Leave redirect_uri as a required parameter (only edge cases when it can be left out, mandatory in OIDC)
    • Leave AS behavior of non-registered redirect_uris up to the AS
    • PAR should have a more descriptive error message

  3. Log in to comment