RFC Errata
RFC 6749, "The OAuth 2.0 Authorization Framework", October 2012
Note: This RFC has been updated by RFC 8252, RFC 8996, RFC 9700
Source of RFC: oauth (sec)
Errata ID: 4819
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Lars Kemmann
Date Reported: 2016-10-05
Section 4.2.2 says:
HTTP/1.1 302 Found Location: http://example.com/cb# access_token=2YotnFZFEjr1zCsicMWpAA &state=xyz&token_type=example&expires_in=3600
It should say:
HTTP/1.1 302 Found Location: http://client.example.com/cb# access_token=2YotnFZFEjr1zCsicMWpAA &state=xyz&token_type=example&expires_in=3600
Notes:
In the example for section 4.2.1, the request was made with a `redirect_uri` parameter value of `redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb`. If I understand correctly, the `client` subdomain should be included in the `Location` header in the response.