aaronpk
commented
5 months ago The change in this draft is that redirect_to_web is just an error now, indicating that the client should start a traditional OAuth flow. So there is no dynamic way for the server to return an authorization endpoint URL defined by this draft, it's just however you'd be doing it in the standard OAuth way.
yaronf
Is the expectation that the URI that the browser will use is hardcoded in the native app? Otherwise, shouldn't it be returned with the error response? Or do we always assume PAR is used?