Authentication Request of OpenID Connect Core 1.0:
LOOPBACK ADDRESS FULL
If the client registration included the full redirection URI, the authorization server MUST compare the two URIs using simple string comparison as defined in Section 6.2.1.Īnd the requirement in the Section 3.1.2.1.
Dynamic Configuration of RFC 6749 The OAuth 2.0 Authorization Framework:
Conflict among SpecificationsĪ problem is that the requirement in the Section 7.3 of RFC 8252 conflicts with the requirement in the Section 3.1.2.3. To be concrete, when the host component of a redirection URI which is included in an authorization request is either 127.0.0.1 or ::1 (or equivalent), the authorization server must ignore the port number component when comparing the specified redirection URI to pre-registered ones.įor example, if an authorization request includes redirect_uri= and the client application has pre-registered as a redirection URI, the authorization server must judge that the specified redirection URI matches the pre-registered one. The authorization server MUST allow any port to be specified at the time of the request for loopback IP redirect URIs, to accommodate clients that obtain an available ephemeral port from the operating system at the time of the request. The specification requires an authorization server to treat the port number component of redirection URIs as variable when the host component is a loopback IP address.
Loopback Interface Redirection of RFC 8252 OAuth 2.0 for Native Apps. This article is about “ Loopback Interface Redirection” which is written in the Section 7.3. Loopback Interface Redirection Introduction
0 kommentar(er)
