OAuth: Specify allowed schemes for redirect_uri parameter

[palant]

The spec says:

if no client registration is required, the server MUST ignore the value of the client_id parameter in favor of relying on the origin of the redirect_uri parameter for unique client identification.

For this to be a good measure, the scheme of the redirect_uri parameter needs to be something where the origin is something meaningful. However, so far all servers I've seen which implement this part of the spec correctly (such as reStore) do not enforce particular schemes for redirect_uri. This makes redirect_uri values such as data://google.com/,text possible where google.com is considered the origin. Luckily, browsers usually will refuse to redirect to this URL.

There is another aspect here: php-remote-storage, while failing to implement this part of the spec correctly, has the following line in its validation routine:

// XXX we also should enforce HTTPS

Should this ever be implemented, it would break most non-web clients.

I think that the spec should prevent such issues by explicitly stating: allowed schemes for redirect_uri are HTTP and HTTPS.