Discourage use of insecure HTTP for client_id and redirect_uri?

[saschanaz]

Per https://indieauth.spec.indieweb.org/#client-identifier:

Client identifier URLs MUST have either an https or http scheme

But the spec does not discourage the latter, nor whether the server may reject the latter, and same for redirect_uri. Should there be some explicit discouragement?

[omz13]

It is 2023, the world has changed since the web was born: https is cheap, efficient, and ubiquitous, so yes, can we just move to https (and preferably tls 1.2 or better) by shifting the emphasis.

Plus, on iOS, macOS, establishing an insecure http connection is an almost impossible task, which means any clients on those platforms will, sooner rather than later, be forced to https.

[darrenmeehan]

This is something I was surprised by when setting up my own site. As a user it was annoying having to specify the scheme each time. I've read in places that my domain is my identity, but this isn’t the full picture.

As I developer think using http breaks down the trust model of indie auth.

I’d go further than discouraging http, and enforce https. I don't know enough about the ecosystem to know what getting there looks like.

[darrenmeehan]

https://github.com/indieweb/indieauth/issues/103 is a similar issue here which mentions enforcement, but there's more discussion here.