Closed yaronf closed 6 months ago
The change in this draft is that redirect_to_web
is just an error now, indicating that the client should start a traditional OAuth flow. So there is no dynamic way for the server to return an authorization endpoint URL defined by this draft, it's just however you'd be doing it in the standard OAuth way.
Makes sense.
Is the expectation that the URI that the browser will use is hardcoded in the native app? Otherwise, shouldn't it be returned with the error response? Or do we always assume PAR is used?