[Openid-specs-ab] Dynamic registration possible errata

William Denniss wdenniss at google.com
Mon Feb 27 17:58:42 UTC 2017 

I always interpreted localhost in the spec to include the loopback IP
literals too.

People have implemented dynamic client registration restrictions that very
precisely require "localhost", so this additional clarification errata
could be warranted.


On Mon, Feb 27, 2017 at 5:43 AM, Justin Richer <jricher at mit.edu> wrote:

> That's a fair point -- the intent was native apps use either
>
>  - custom uri
>
>  - localhost (or equivalent)
>
>  -- Justin
>
> On 2/27/2017 6:56 AM, John Bradley via Openid-specs-ab wrote:
>
> We can explicitly mentioned loopback ip.  I always considered them
> synonims as the hosts file maps localhost to 127.0.0.1 in DNS anyway.
> John B.
>
> On Feb 27, 2017 2:14 AM, "William Denniss" <wdenniss at google.com> wrote:
>
>> +openid-specs-ab
>>
>> Please note the below errata for dynamic client registration.
>>
>> The clarification is that either custom URI schemes (com.example.app:/*),
>> or a localhost redirect with http (http://localhost:*/*) schemes are
>> acceptable redirects for Native Clients – there is no requirement that
>> localhost must be used with a custom URI scheme (in fact such redirects
>> have no host component).
>>
>> Should we also explicitly mention that the IP literal form in place of
>> localhost is acceptable?  i.e. 127.0.0.1 and [::1]?
>>
>> On Thu, Dec 8, 2016 at 10:18 AM, Mike Jones <Michael.Jones at microsoft.com>
>> wrote:
>>
>>> I'll add it to my errata issues list.  Thanks!
>>>
>>> -----Original Message-----
>>> From: John Bradley [mailto:ve7jtb at ve7jtb.com]
>>> Sent: Thursday, December 8, 2016 10:14 AM
>>> To: Mike Jones <Michael.Jones at microsoft.com>
>>> Cc: William Denniss <wdenniss at google.com>
>>> Subject: Dynamic registration possible errata
>>>
>>> William found a developer with a interesting take on the registration
>>> spec.
>>>
>>> They are trying to enforce localhost for custom scheme URI
>>>
>>> The relevant sentence is:
>>> Native Clients MUST only register  redirect_uris using custom URI
>>> schemes or URLs using the http: scheme with localhost as the hostname.
>>>
>>> The way I intended that to be parsed was
>>>
>>> Native Clients MUST only register  (redirect_uris using custom URI
>>> schemes) or (URLs using the http: scheme with localhost as the hostname).
>>>
>>> At least this reader is parsing it as:
>>>
>>> Native Clients MUST only register  (redirect_uris using custom URI
>>> schemes or URLs using the http: scheme ) with localhost as the hostname.
>>>
>>> Perhaps a comma before the or?
>>>
>>> What is your opinion as grammar expert.
>>>
>>> If we can make that clearer we should in the upcoming errata.
>>>
>>> John B.
>>>
>>
>>
>
> _______________________________________________
> Openid-specs-ab mailing listOpenid-specs-ab at lists.openid.nethttp://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170227/2d8ddc2d/attachment.html>

More information about the Openid-specs-ab mailing list