Indeed, we shall fix that. Am 11.05.20 um 20:43 schrieb Brian Campbell: > I suspect it was an unintentional oversight in the Security BCP and > that it should be updated to allow for it. > > On Mon, May 11, 2020 at 10:03 AM Aaron Parecki <aa...@parecki.com > <mailto:aa...@parecki.com>> wrote: > > The Security BCP has pretty clear language around requiring exact > matching of redirect URIs now. > > > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2..1 > > <https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1> > > However the Native Apps BCP has an exception for localhost URIs to > allow variable ports. > > https://tools.ietf.org/html/rfc8252#section-7.3 > > Is the intention of the Security BCP to also prevent that use case? > > If so, it should probably be spelled out explicitly, since there > is currently no mention of this. If not, then that exception > should also be repeated in the Security BCP, since it is currently > somewhat ambiguous whether the exception in the Native Apps BCP is > still allowed. > > Aaron Parecki > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > > /CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly > prohibited.. If you have received this communication in error, please > notify the sender immediately by e-mail and delete the message and any > file attachments from your computer. Thank you./ > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth