aaronpkthe big picture is that until we get all the edge cases of this worked out, it's probably best for the authorization server to show a warning (and maybe even make the user click something to confirm) if the redirect uri isn't registered or doesn't match
