[Openid-specs-ab] Native apps redirect_uri scheme

William Denniss wdenniss at google.com
Tue Mar 21 17:45:51 UTC 2017


+1 to include HTTPS support.  I think the main point is that there needs to
be a distinction between *public* and *confidential* clients, but that
using the redirect URI to determine this is a bad idea.

Regarding localhost vs loopback IP literal:

The Native Apps draft recommends using loopback IP literals over localhost,
as they are slightly superior.  By default, 127.0.0.1 will strictly receive
local traffic only – a desirable security property. It's also immune to
hostname resolution issues (it's possible to break localhost resolution).

In my testing with .NET on Windows 10, opening a HTTP listener on "
http://localhost" opened a socket on all network interfaces and triggered a
firewall dialog – while listening on "http://127.0.0.1" did neither.  I'm
sure it's possible to configure which network interfaces to use with
"localhost", but what I like about 127.0.0.1 is that you don't have to
worry about that.

Since both are simple static constants – and one is better – I recommend
the IP literal.

On Tue, Mar 21, 2017 at 9:59 AM, Roland Hedberg via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> Hi!
>
> There is a thing we probably have to issue an errata for in the OIDC
> cleint registration document.
>
> This is the case:
>
> — In http://openid.net/specs/openid-connect-registration-1_0.html it says
> in the text about
> application_type:
>
> ”Native Clients MUST only register redirect_uris using custom URI schemes
> or URLs using the http: scheme with localhost as the hostname. "
>
> Now this conflicts with what is said in https://tools.ietf.org/id/
> draft-ietf-oauth-native-apps-09.html
> where in section 7 it lists these redirect URI options:
> 7.1 Custom URI
> 7.2 HTTPS
> 7.3 loopback aka HTTP://127.0.0.1
>
> Furthermore in 8.6 it says about the use of loopback URI:
> "While redirect URIs using localhost (i.e.  http://localhost:{port}/)
> function similarly to loopback IP redirects described in Section 7.3, the
> use of localhost is NOT RECOMMENDED. "
>
> -- Roland
> "Education is the path from cocky ignorance to miserable uncertainty.” -
> Mark Twain
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170321/4e84872e/attachment.html>


More information about the Openid-specs-ab mailing list