10.3. Explicit Endpoints
10.3. Explicit Endpoints
Although this specification does not require them, research such as [BASIN] points out that it is a good practice to explicitly state the intended interaction endpoints and the message position in the sequence in a tamper-evident manner so that the intent of the initiator is unambiguous. It is RECOMMENDED by this specification to use this practice for the following endpoints defined in [RFC6749], [RFC6750], and [RFC8414]:
(a) Protected resources (protected_resources)
(b) Authorization endpoint (authorization_endpoint)
(c) Redirection URI (redirect_uri)
(d) Token endpoint (token_endpoint)
Further, if dynamic discovery is used, then this practice also applies to the discovery-related endpoints.
In [RFC6749], while the redirection URI is included in the authorization request, others are not. As a result, the same applies to the Authorization Request Object.