[icebraining]

No, you do pass the URI dynamically, it's a required part of the Access Token Request: http://tools.ietf.org/html/draft-ietf-oauth-v2-16#section-4....

It's just that with a decent implementation, you should also be required to register it beforehand with the provider.

[vertex-four]

Not just a decent implementation; an implementation which meets the spec. This is not a problem with OAuth2, which explicitly requires registration of URIs where the implicit grant type is used, and covers other cases well in the Security Considerations section.

[nailer]

That makes a lot of sense: I've only really dealt with oAuth 2, as oAuth 1.0a is vastly more complicated and only Twitter seems to still use it.

Thanks icebraining & vertex-four.