Dear OAuth spec folks: Why is redirect_uri required, if every impl forces you to define it in advance? Before you say "security", it's not.