2016-09-29 UTC
# aaronpk closest i found is this: https://mailarchive.ietf.org/arch/msg/oauth/STYsOy77_gknub-pOgO_mTg6cCA "By checking that the callback URI used to deliver the code is the same as the one used to initiate the flow, the authorization server can verify that the user who initiated the flow is the same one to authorize access and finish the flow."