The spec currently restricts Redirect-* header processing to 303 redirects only. This may be unnecessarily limiting — 302 is by far the most common redirect status code in the wild, and OAuth specs historically reference 302.
Consider broadening to cover 30x redirects (301, 302, 303, 307, 308) or at minimum 302 and 303.
Raised during IETF 125 presentation preparation.
The spec currently restricts Redirect-* header processing to 303 redirects only. This may be unnecessarily limiting — 302 is by far the most common redirect status code in the wild, and OAuth specs historically reference 302.
Consider broadening to cover 30x redirects (301, 302, 303, 307, 308) or at minimum 302 and 303.
Raised during IETF 125 presentation preparation.