- Issue created by @kingdutch
- First commit to issue fork.
- Merge request !155Make Redirect URIs only required when authorization code grant type is active → (Open) created by dieterholvoet
redirect_uri
is used by the authorization_code
to ensure that the (web/mobile) application requesting the authorization code is the correct one. In the client_credentials
grant type it's not used because it's understood there is a direct connection between the client and server (rather than going through a user's browser) which is authenticated with a client_id and secret. This means no redirects take place and redirect_uri
is not needed.
redirect_uri
is currently part of a multi-value field which is always required. This means that consumers which only use the client_credentials
grant type (i.e. fully machine-to-machine applications) can not be created without filling in a dummy redirect URI.
Make the field only required under the "authorization code" field group when that grant type is enabled. Similar to what happens for fields such as "Use PKCE".
Active
6.0
Code