Mark redirect_uri as a required parameter in the authorization request?

oauth-wg / oauth-v2-1

OAuth 2.1 is a consolidation of the core OAuth 2.0 specs

https://oauth.net/2.1/

Other

53 stars 27 forks source link

Mark redirect_uri as a required parameter in the authorization request? #137

Closed vanbukin closed 1 year ago

vanbukin commented 1 year ago

I'm trying to build an OAuth framework for .NET that supports OAuth 2.1 and OpenID Connect 1.0 and found that OIDC requires redirect_uri in authorization request, but in the current OAuth 2.1 draft it is marked as optional (and only required if the client has multiple pre-registered redirect URIs). Maybe it can be marked as required to simplify the logic for checking authorization requests on the side of the authorization server?

aaronpk commented 1 year ago

That's interesting that OpenID Connect requires it. It's always been optional in OAuth 2.0 from the beginning https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1 I don't think this is something we changed in OAuth 2.1