Hello everyone, Both RFC 8252 <https://tools.ietf.org/html/rfc8252#section-7.1> and OAuth 2.1 draft <https://tools.ietf.org/html/draft-ietf-oauth-v2-1-00#section-10.3.1> state that (paraphrasing)
Apps MUST use a URI scheme based on a domain name under their control, > expressed in reverse order, as recommended by Section 3.8 of [RFC7595] for > private-use URI schemes. e.g. com.example.app:/ My question is, is the AS right to reject client registrations that do not follow this specific requirement, to e.g. reject myapp:/oauth2/example-issuer on the account of it not being neither claimed https scheme, an http: + loopback interface, nor having a "." (dot) character suggesting it is a reverse domain scheme? Best, *Filip*
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth