Authorization Code Verification Request is malformed

[fluffy-critter]

At this point in the spec: https://github.com/sknebel/AutoAuth/blob/master/AutoAuth.md#authorization-code-verification-request

There seem to be two errors, relative to what IndieAuth providers expect:

• callback_url should be redirect_uri
• client_id is required

This is at least the case on all of the IndieAuth endpoints I've tried against (namely SelfAuth and commentpara.de).

[sknebel]

This needs to verify the data included in the Token request. there is no redirect_url due to the lack of a a browser in the flow for which this would be appropriate, so no redirect_uri can be checked here.

Client ID could be added if there's good reasons to do so, but I'm not sure it's needed.

[fluffy-critter]

Does this require the addition of callback_url to IndieAuth authorization endpoints, then? I was under the impression that this specification was intended to work with the existing IndieAuth infrastructure.

[fluffy-critter]

For reference, I use SelfAuth as my auth_endpoint, with its source at https://github.com/Inklings-io/selfauth/blob/master/index.php
and here's the token_endpoint built into Publ: https://github.com/PlaidWeb/Publ/blob/f1baa08baa2e1bc7cf771b35ec457fc3784f7aea/publ/tokens.py#L22

[fluffy-critter]

Resolved via discussion, tl;dr form starts at https://chat.indieweb.org/dev/2019-10-30#t1572457299643200 - will continue discussion in #18