@@ -533,11 +533,13 @@ for certificate validation and other security considerations.
533533
534534This specification makes extensive use of HTTP redirections, in which
535535the client or the authorization server directs the resource owner's
536- user agent to another destination. While the examples in this
537- specification show the use of the HTTP 302 status code, any other
538- method available via the user agent to accomplish this redirection,
539- with the exception of HTTP 307, is allowed and is considered to be an
540- implementation detail. See {{redirect_307}} for details.
536+ user agent to another destination.
537+ While this specification
538+ forbids the use of the 307 status code (see {{redirect_307}})
539+ and illustrates the use of the 302 status code,
540+ any other mechanism to accomplish the above redirection
541+ is legitimate and is considered as an implementation detail as long as
542+ it does not expose user credentials to untrusted parties.
541543
542544
543545# # Interoperability
@@ -966,35 +968,38 @@ Extension grant types MAY define additional endpoints as needed.
966968# # Authorization Endpoint
967969
968970The authorization endpoint is used to interact with the resource
969- owner and obtain an authorization grant. The authorization server
970- MUST first verify the identity of the resource owner. The way in
971- which the authorization server authenticates the resource owner
971+ owner and obtain an authorization grant. The AS
972+ MUST first authenticate the resource owner. The way in
973+ which the AS authenticates the resource owner
972974(e.g., username and password login, session cookies) is beyond the
973975scope of this specification.
974976
975- The means through which the client obtains the location of the
977+ The means through which the client obtains the URL of the
976978authorization endpoint are beyond the scope of this specification,
977- but the location is typically provided in the service documentation,
979+ but the URL is typically provided in the service documentation,
978980or in the authorization server's metadata document ({{RFC8414}}).
979981
980- The endpoint URI MAY include an "application/x-www-form-urlencoded"
982+ The authorization endpoint URL :
983+
984+ - MUST NOT include a fragment component;
985+ - MAY include an "application/x-www-form-urlencoded"
981986formatted query component {{WHATWG.URL}},
982- which MUST be retained when adding additional query parameters. The
983- endpoint URI MUST NOT include a fragment component.
987+ which MUST be retained when adding additional query parameters.
984988
985- The authorization server MUST support the use of the HTTP `GET`
986- method Section 9.3.1 of {{RFC9110}} for the authorization endpoint and MAY support
987- the ` POST` method ( Section 9.3.3 of RFC9110) as well .
989+ The authorization endpoint
990+ MUST support GET requests (see Section 9.3.1 of {{RFC9110}})
991+ and MAY support POST requests (see Section 9.3.3 of {{ RFC9110}}) .
988992
989- The authorization server MUST ignore unrecognized request parameters.
993+ The authorization endpoint MUST ignore unrecognized request parameters.
990994
991995Request and response parameters
992996defined by this specification MUST NOT be included more than once.
993997Parameters sent without a value MUST be treated as if they were
994998omitted from the request.
995999
996- An authorization server that redirects a request potentially containing
997- user credentials MUST avoid forwarding these user credentials accidentally
1000+ An authorization endpoint that redirects a request potentially containing
1001+ user credentials is expected to define a trust boundary and to not
1002+ forward these credentials outside it
9981003(see {{redirect_307}} for details).
9991004
10001005# # Token Endpoint
0 commit comments