[Openid-specs-ab] Native apps redirect_uri scheme

Mike Jones Michael.Jones at microsoft.com
Tue Mar 21 18:00:59 UTC 2017

Can you please file an issue at https://bitbucket.org/openid/connect/issues?status=new&status=open under the Errata milestone proposing specific textual edits to apply?

                                                          -- Mike

From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of William Denniss via Openid-specs-ab
Sent: Tuesday, March 21, 2017 10:46 AM
To: Roland Hedberg <roland at catalogix.se>
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Native apps redirect_uri scheme

+1 to include HTTPS support.  I think the main point is that there needs to be a distinction between *public* and *confidential* clients, but that using the redirect URI to determine this is a bad idea.

Regarding localhost vs loopback IP literal:

The Native Apps draft recommends using loopback IP literals over localhost, as they are slightly superior.  By default, will strictly receive local traffic only – a desirable security property. It's also immune to hostname resolution issues (it's possible to break localhost resolution).

In my testing with .NET on Windows 10, opening a HTTP listener on "http://localhost" opened a socket on all network interfaces and triggered a firewall dialog – while listening on "" did neither.  I'm sure it's possible to configure which network interfaces to use with "localhost", but what I like about is that you don't have to worry about that.

Since both are simple static constants – and one is better – I recommend the IP literal.

On Tue, Mar 21, 2017 at 9:59 AM, Roland Hedberg via Openid-specs-ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>> wrote:

There is a thing we probably have to issue an errata for in the OIDC cleint registration document.

This is the case:

— In http://openid.net/specs/openid-connect-registration-1_0.html it says in the text about

”Native Clients MUST only register redirect_uris using custom URI schemes or URLs using the http: scheme with localhost as the hostname. "

Now this conflicts with what is said in https://tools.ietf.org/id/draft-ietf-oauth-native-apps-09.html
where in section 7 it lists these redirect URI options:
7.1 Custom URI
7.3 loopback aka HTTP://

Furthermore in 8.6 it says about the use of loopback URI:
"While redirect URIs using localhost (i.e.  http://localhost:{port}/<http://localhost:%7bport%7d/>) function similarly to loopback IP redirects described in Section 7.3, the use of localhost is NOT RECOMMENDED. "

-- Roland
"Education is the path from cocky ignorance to miserable uncertainty.” - Mark Twain

Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170321/d048818b/attachment-0001.html>

More information about the Openid-specs-ab mailing list