Require explicitly specifying `redirect_uri` instead of allowing same-host URIs by default?

[saschanaz]

trafficstars

Section 4.2.2 says:

If a client wishes to use a redirect URL that has a different host than their client_id, or if the redirect URL uses a custom scheme (such as when the client is a native application), then the client will need to explicitly list those redirect URLs so that authorization endpoints can be sure it is safe to redirect users there.

I wonder the following situation is possible:

1. The author user of the client my-client thinks GitHub Pages https://user.github.io/my-client should be enough for the client ID as there's only one person who has the access for that origin at that point.
2. The author later does some collaboration with other people for a project named our-project but without setting up an organization. Now other people has access to https://user.github.io/our-project which is an implicitly allowed redirect URI by IndieAuth.

Also, some provider libraries only support exact URI matching since OAuth 2.0 Security Best Current Practice recommends that.

[jalcine]

That'd be fixed then by moving the project to an organization, no?

I am in favor of doing a strict check though, that's just a lot easier to deal with.

(Originally published at: https://jacky.wtf/2023/11/A93v)