When redirect_uri may be omitted in oauth authorization request?

Question

I read The OAuth 2.0 Authorization Framework and can not understand, when redirect_uri may be omitted in oauth authorization.

3.1.2.3. Dynamic Configuration says: If multiple redirection URIs have been registered, if only part of the redirection URI has been registered, or if no redirection URI has been registered, the client MUST include a redirection URI with the authorization request using the "redirect_uri" request parameter.

So, "redirect_uri" request parameter MUST be included always?

Answer 1

"OpenID Connect Core 1.0, 3.1.2.1. Authentication Request" says redirect_uri is REQUIRED. So, my understanding is that redirect_uri parameter is always required when an authorization request should be regarded as an OpenID Connect request.

A certain implementation always requires redirect_uri parameter (even if the number of registered redirect URIs is 1) when a request contains openid in scope parameter. The reason the implementation judges whether a request is an OpenID Connect request or a normal RFC 6749 request based on whether openid is included in scope parameter or not is that "3.1.2.1. Authentication Request" says as follows.

scope
    REQUIRED. OpenID Connect requests MUST contain the openid scope value.
    If the openid scope value is not present, the behavior is entirely
    unspecified. Other scope values MAY be present. Scope values used
    that are not understood by an implementation SHOULD be ignored. See
    Sections 5.4 and 11 for additional scope values defined by this
    specification.

Answer 2

When there's one and only one redirect_uri registered for the Client, it may be omitted from the Authorization Request since the Provider would know unambiguously where to send the Authorization Response.