clarify case sensitivity of redirect URI string matching

[aaronpk]

from Vittorio:

---

The authorization server MUST compare the two URIs using simple string comparison as defined in [RFC3986], Section 6.2.1.

RFC3986 6.2.1 talks about character by character comparison, but doesn’t mention case sensitivity. I am sure it does elsewhere in the spec, but for clarify and readability I recommend specifying the desired behavior directly here.

[aaronpk]

Technically I'm not sure case sensitive matching of the host name is actually required if you were to follow RFC3986, since host names are case insensitive. We should probably clarify this in the Security BCP and 2.1.

[tlodderstedt]

RFC 3986 6.2.1. talks about "bit-for-bit" or "byte-for-byte" comparison, which means case sensitive matching. Is that what you want to state?

[dickhardt]

character by character comparison? byte for byte can be challenging as different byte arrangements can represent the same character. I do think we are intending a case sensitive string comparison.

[aaronpk]

@tlodderstedt I believe the Security BCP has some updated language to use here, could you pull from that and make a PR?

[adeinega]

Using simple string comparison for redirect URIs is not always possible due to the usage of randomly assigned ports in Redirect URIs for public (native) clients.

The OpenID Connect Core spec says that

REQUIRED. Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described in Section 6.2.1 of [RFC3986] (Simple String Comparison).

which kind of makes it "impossible" to use an ephemeral port obtained from the OS for these clients.

[aaronpk]

There's already an exception for the random port, so we'll need to carve that out in this top section too.