2019-10-08 UTC
# [dmitshur] As I understand, it "should" happen and it's to be done by the authorization endpoint (i.e., part of step 4 in the diagram at https://indieweb.org/indieauth-for-login). The relevant section in the spec seems to be section 7.2, https://indieauth.spec.indieweb.org/#preventing-phishing-and-redirect-attacks.