idpy-oidc icon indicating copy to clipboard operation
idpy-oidc copied to clipboard
verified publisher icon IdentityPython

Redirect URI comparison for native OAuth clients (RFC 8252)

Open lionick opened this issue 1 year ago • 0 comments

Native Applications have to use ephemeral ports in the redirect_uri. This is something that is already addressed by the RFCs:

Draft-ietf-oauth-security-topics-27: This document therefore advises simplifying the required logic and configuration by using exact redirect URI matching ... The only exception is native apps using a localhost URI: In this case, the authorization server MUST allow variable port numbers as described in [RFC8252], Section 7.3.

RFC 8252: OAuth 2.0 for Native Apps (rfc-editor.org): Native apps that are able to open a port on the loopback network interface without needing special permissions (typically, those on desktop operating systems) can use the loopback interface to receive the OAuth redirect. Loopback redirect URIs use the "http" scheme and are constructed with the loopback IP literal and whatever port the client is listening on. That is, "http://127.0.0.1:{port}/{path}" for IPv4, and "http://[::1]:{port}/{path}" for IPv6.

lionick avatar Jun 10 '24 06:06 lionick