Closed michielbdejong closed 8 years ago
I'd opt for MUST, since it is a security-related matter.
The OAuth RFC also uses MUST for those kind of things, which are conveniently ignored in dev:
The authorization server MUST require the use of TLS as described in Section 1.6 when sending requests using password authentication.
But I don't see how ignoring relation between client_id and redirect_uri would be useful in any way in development?
Also, I would rephrase it from the server's perspective
:+1:
Bump, I think this is eligible for 07
Continuation of 'PS:' remark from https://github.com/remotestorage/spec/pull/141#issuecomment-165902749
I would sat 'SHOULD' not 'MUST', since you might want to ignore the rule if you implement a server for your own localhost use without this restriction.
Also, I would rephrase it from the server's perspective, so 'the server SHOULD reject OAuth requests where the
client_id
is not equal to the origin of theredirect_uri
'.