Indeed, we shall fix that. Am 11.05.20 um 20:43 schrieb Brian Campbell: > I suspect it was an unintentional oversight in the Security BCP and > that it should be updated to allow for it. > > On Mon, May 11, 2020 at 10:03 AM Aaron Parecki <[email protected] > <mailto:[email protected]>> wrote: > > The Security BCP has pretty clear language around requiring exact > matching of redirect URIs now. > > > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2..1 > > <https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1> > > However the Native Apps BCP has an exception for localhost URIs to > allow variable ports. > > https://tools.ietf.org/html/rfc8252#section-7.3 > > Is the intention of the Security BCP to also prevent that use case? > > If so, it should probably be spelled out explicitly, since there > is currently no mention of this. If not, then that exception > should also be repeated in the Security BCP, since it is currently > somewhat ambiguous whether the exception in the Native Apps BCP is > still allowed. > > Aaron Parecki > > _______________________________________________ > OAuth mailing list > [email protected] <mailto:[email protected]> > https://www.ietf.org/mailman/listinfo/oauth > > > /CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly > prohibited.. If you have received this communication in error, please > notify the sender immediately by e-mail and delete the message and any > file attachments from your computer. Thank you./ > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
