|
|
@@ -839,7 +839,7 @@ component ([RFC3986] Section 3.4), which MUST be retained when adding |
|
|
additional query parameters. The endpoint URI MUST NOT include a |
|
|
fragment component. |
|
|
|
|
|
#### 3.1.2.1. Endpoint Request Confidentiality |
|
|
##### 3.1.2.1. Endpoint Request Confidentiality |
|
|
|
|
|
The redirection endpoint SHOULD require the use of TLS as described |
|
|
in Section 1.6 when the requested response type is "code" or "token", |
|
|
@@ -859,7 +859,7 @@ critical when the authorization process is used as a form of |
|
|
delegated end-user authentication by the client (e.g., third-party |
|
|
sign-in service). |
|
|
|
|
|
#### 3.1.2.2. Registration Requirements |
|
|
##### 3.1.2.2. Registration Requirements |
|
|
|
|
|
The authorization server MUST require the following clients to |
|
|
register their redirection endpoint: |
|
|
@@ -886,7 +886,7 @@ Lack of a redirection URI registration requirement can enable an |
|
|
attacker to use the authorization endpoint as an open redirector as |
|
|
described in Section 10.15. |
|
|
|
|
|
#### 3.1.2.3. Dynamic Configuration |
|
|
##### 3.1.2.3. Dynamic Configuration |
|
|
|
|
|
If multiple redirection URIs have been registered, if only part of |
|
|
the redirection URI has been registered, or if no redirection URI has |
|
|
@@ -901,14 +901,14 @@ URIs were registered. If the client registration included the full |
|
|
redirection URI, the authorization server MUST compare the two URIs |
|
|
using simple string comparison as defined in [RFC3986] Section 6.2.1. |
|
|
|
|
|
#### 3.1.2.4. Invalid Endpoint |
|
|
##### 3.1.2.4. Invalid Endpoint |
|
|
|
|
|
If an authorization request fails validation due to a missing, |
|
|
invalid, or mismatching redirection URI, the authorization server |
|
|
SHOULD inform the resource owner of the error and MUST NOT |
|
|
automatically redirect the user-agent to the invalid redirection URI. |
|
|
|
|
|
#### 3.1.2.5. Endpoint Content |
|
|
##### 3.1.2.5. Endpoint Content |
|
|
|
|
|
The redirection request to the client's endpoint typically results in |
|
|
an HTML document response, processed by the user-agent. If the HTML |
|
|
@@ -1175,7 +1175,7 @@ specification. The client should avoid making assumptions about code |
|
|
value sizes. The authorization server SHOULD document the size of |
|
|
any value it issues. |
|
|
|
|
|
#### 4.1.2.1. Error Response |
|
|
##### 4.1.2.1. Error Response |
|
|
|
|
|
If the request fails due to a missing, invalid, or mismatching |
|
|
redirection URI, or if the client identifier is missing or invalid, |
|
|
@@ -1513,7 +1513,7 @@ token string size is left undefined by this specification. The |
|
|
client should avoid making assumptions about value sizes. The |
|
|
authorization server SHOULD document the size of any value it issues. |
|
|
|
|
|
#### 4.2.2.1. Error Response |
|
|
##### 4.2.2.1. Error Response |
|
|
|
|
|
If the request fails due to a missing, invalid, or mismatching |
|
|
redirection URI, or if the client identifier is missing or invalid, |
|
|
|
Yu-Cheng Chuang revised this gist
Yu-Cheng Chuang
revised
this gist