rfc6749

问题 I'm developing an oauth2 provider based on rfc6749 and I'm wondering, why is redirect_uri required on the Access Token Request? The /token endpoint is not redirecting and the state is assumed to be already validated (i.e. against CSRF) so a copy of the redirectURI doesn't make much sense to me. 回答1: In auth code flow, it's used to validate the redirect_uri in the first auth request. https://www.oauth.com/oauth2-servers/redirect-uris/redirect-uri-validation/ Granting Access Tokens The token

问题 It looks like ServiceStack only accepts session-based authentication. I was reading through https://github.com/ServiceStack/ServiceStack/wiki/Authentication-and-authorization and I couldn't find anything describing how to do what I want. I also looked at http://enehana.nohea.com/general/customizing-iauthprovider-for-servicestack-net-step-by-step/ but that also is session-based. What I would like to do, is very similar to how WebAPI works with Individual User Accounts. I want to send this to

问题 The RFC for Oauth2 says the redirect_uri which was specified when generating the authorization code must be included in the request to exchanging the code for an access token . From the RFC: 4.1.3. Access Token Request The client makes a request to the token endpoint by sending the following parameters using the "application/x-www-form-urlencoded" format per Appendix B with a character encoding of UTF-8 in the HTTP request entity-body: [...] redirect_uri REQUIRED, if the "redirect_uri"