10.7. Parameter Mismatches

10.7. Parameter Mismatches

Given that OAuth parameter values are being sent in two different places, as normal OAuth parameters and as Request Object claims, implementations must guard against attacks that could use mismatching parameter values to obtain unintended outcomes. That is the reason that the two client ID values MUST match, the reason that only the parameter values from the Request Object are to be used, and the reason that neither request nor request_uri can appear in a Request Object.