Please note that this simple validation (in combination with web application enforcing http(s) schemes) removes the need to implement and maintain a blocklist of potentially malicious schemes such as `javascript:/`, `vbscript:/`, and `data:/`.
More details: https://security.lauritz-holtmann.de/post/sso-security-redirect-uri/ Best, *Filip* On Thu, 3 Dec 2020 at 10:59, Filip Skokan <panva...@gmail.com> wrote: > Hello everyone, > > Both RFC 8252 <https://tools.ietf.org/html/rfc8252#section-7.1> and OAuth > 2.1 draft > <https://tools.ietf.org/html/draft-ietf-oauth-v2-1-00#section-10.3.1> > state that (paraphrasing) > > Apps MUST use a URI scheme based on a domain name under their control, >> expressed in reverse order, as recommended by Section 3.8 of [RFC7595] for >> private-use URI schemes. e.g. com.example.app:/ > > > My question is, is the AS right to reject client registrations that do not > follow this specific requirement, to e.g. reject myapp:/oauth2/example-issuer > on the account of it not being neither claimed https scheme, an http: + > loopback interface, nor having a "." (dot) character suggesting it is a > reverse domain scheme? > > Best, > *Filip* >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
