I suspect it was an unintentional oversight in the Security BCP and that it should be updated to allow for it.
On Mon, May 11, 2020 at 10:03 AM Aaron Parecki <[email protected]> wrote: > The Security BCP has pretty clear language around requiring exact matching > of redirect URIs now. > > > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2...1 > <https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1> > > However the Native Apps BCP has an exception for localhost URIs to allow > variable ports. > > https://tools.ietf.org/html/rfc8252#section-7.3 > > Is the intention of the Security BCP to also prevent that use case? > > If so, it should probably be spelled out explicitly, since there is > currently no mention of this. If not, then that exception should also be > repeated in the Security BCP, since it is currently somewhat ambiguous > whether the exception in the Native Apps BCP is still allowed. > > Aaron Parecki > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
