-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider dropping me
from the GET request that contains the code
#167
Comments
This would also apply to the IndieAuth spec redirect described here https://indieweb.org/authorization-endpoint#Redirect_to_web_application |
hmm. oauth-dropins is stateless and re-fetches |
Duplicate of #85? Also see Inklings-io/selfauth#10.
This is a good reason. For a login (identification, Also note that the returned |
It removes the ability of the endpoint to normalize the URL (e.g. http->https, or other redirects), but I'm not sure if that's actually a thing in current implementations. Other than that no reason to keep it. |
@snarfed clients should be using the
The response from either a code verification or token exchange includes the final |
Right. Then I agree, no reason to have the parameter in the callback |
...since it's going away: aaronpk/IndieAuth.com#167
...since it's going away: aaronpk/IndieAuth.com#167
Duplicate of #85 |
The client should have already established a session or used the
state
to store things. Removing it from the request will make sure people don't accidentally think this is trusted information at this stage.The text was updated successfully, but these errors were encountered: