Section 4.1 of the OAuth 2.0 RFC states:
(A) The client initiates the flow by instructing the owner of the resource
User agent for the authorization endpoint. The customer includes
whose client ID, requested range, local status, and a
Redirect URI to which the authorization server should send it
User agent back as soon as access is granted (or denied).
As a result, the user in the user agent (eg, a browser) may display something like:
I am particularly worried about the
redirect_uri – Does not this provide too much information for a malicious agent?