OAuth 2: requiring redirect_uri is not compliant to RFC 6749

[westnordost]

Reproduction

1. When making a an OAuth2 authorization request, omit the redirect_uri. E.g. open https://master.apis.dev.openstreetmap.org/oauth2/authorize?response_type=code&client_id=nOkiqW1fUHssu_e0Qbk6yLx7659s19CUx3nGmOP5JZk&scope=read_prefs in the browser

2. Authorization server responds with "The requested redirect uri is malformed or doesn't match client redirect URI."

Description

This does not seem to be compliant to RFC 6749 - The OAuth 2.0 Authorization Framework:

• 4.1.1. Authorization Request lists redirect_uri as OPTIONAL

• 4.1.3. Access Token Request lists redirect_uri only as REQUIRED if it was supplied in the authorization request

• 3.1.2.3. Dynamic Configuration clarifies that only if no redirection URI has been registered for the client, a redirect_uri MUST be included in the authorization request. (When aredirect_uri is included in an authorization request, the authorization server MUST compare and match the value received against at least one of the registered redirection URIs)

• 3.1.2.2. Registration Requirements specifies that public clients MUST specify their redirect endpoint upon registration.

  In fact, OpenStreetMap currently enforces that any client, even confidential ones, have to specify (at least one) redirect uri upon registration:
  

[tomhughes]

OAuth 2 is implemented by doorkeeper so unless you have some evidence that this is an issue with the way we have configured it then it's a matter for them not us.

[westnordost]

I did some research.

So, in doorkeeper, there is the allow_blank_redirect_uri config option, but I think this refers to allowing that the redirection url for client registration is allowed to be left unspecified:
https://github.com/doorkeeper-gem/doorkeeper/wiki/Allow-blank-redirect-URI-for-Applications

So, I created a ticket in doorkeeper.
doorkeeper-gem/doorkeeper#1678