<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Thanks Mike. This change should do it to align the OIDC code flow
redirect_uri with the rest of the updated specs.<br>
</p>
<pre class="moz-signature" cols="72">Vladimir Dzhuvinov</pre>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 26/10/2023 17:38, Michael Jones
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:MW4PR02MB7428216C829140B53E66D53AB7DDA@MW4PR02MB7428.namprd02.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator"
content="Microsoft Word 15 (filtered medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
font-size:10.0pt;
font-family:"Courier New";
mso-ligatures:none;}tt
{mso-style-priority:99;
font-family:"Courier New";}p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0in;}ul
{margin-bottom:0in;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p style="margin:0in">Thanks for catching this, Vladimir.<o:p></o:p></p>
<p style="margin:0in"><o:p> </o:p></p>
<p style="margin:0in">Is this the kind of wording you were
looking for at <a
href="https://openid.net/specs/openid-connect-core-1_0-33.html#AuthRequest"
moz-do-not-send="true" class="moz-txt-link-freetext">
https://openid.net/specs/openid-connect-core-1_0-33.html#AuthRequest</a>
?<o:p></o:p></p>
<p style="margin:0in"><o:p> </o:p></p>
<p class="MsoNormal">redirect_uri<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">REQUIRED.
Redirection URI to which the response will be sent. This URI
MUST exactly match one of the Redirection URI values for the
Client pre-registered at the OpenID Provider, with the
matching performed as described in Section 6.2.1 of <a
href="https://openid.net/specs/openid-connect-core-1_0-33.html#RFC3986"
moz-do-not-send="true">
[RFC3986]</a> (Simple String Comparison). When using this
flow, the Redirection URI SHOULD use the
<tt><span style="font-size:10.0pt">https</span></tt> scheme;
however, it MAY use the
<tt><span style="font-size:10.0pt">http</span></tt> scheme,
provided that the Client Type is
<tt><span style="font-size:10.0pt">confidential</span></tt>,
as defined in Section 2.1 of OAuth 2.0, and provided the OP
allows the use of
<tt><span style="font-size:10.0pt">http</span></tt>
Redirection URIs in this case.
<span style="color:red">It MAY also use the </span><tt><span
style="font-size:10.0pt;color:red">http</span></tt><span
style="color:red"> scheme with
</span><tt><span style="font-size:10.0pt;color:red">localhost</span></tt><span
style="color:red"> or the IP loopback literals
</span><tt><span style="font-size:10.0pt;color:red">127.0.0.1</span></tt><span
style="color:red"> or
</span><tt><span style="font-size:10.0pt;color:red">[::1]</span></tt><span
style="color:red"> as the hostname.</span> The Redirection
URI MAY use an alternate scheme, such as one that is intended
to identify a callback into a native application.
<o:p></o:p></p>
<p style="margin:0in"><o:p> </o:p></p>
<p class="MsoNormal">
-- Mike<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="mso-ligatures:none">From:</span></b><span
style="mso-ligatures:none"> Openid-specs-ab
<a class="moz-txt-link-rfc2396E" href="mailto:openid-specs-ab-bounces@lists.openid.net"><openid-specs-ab-bounces@lists.openid.net></a>
<b>On Behalf Of </b>Vladimir Dzhuvinov via
Openid-specs-ab<br>
<b>Sent:</b> Thursday, October 26, 2023 4:10 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
<b>Cc:</b> Vladimir Dzhuvinov
<a class="moz-txt-link-rfc2396E" href="mailto:vladimir@connect2id.com"><vladimir@connect2id.com></a><br>
<b>Subject:</b> Re: [Openid-specs-ab] WGLC for candidate
OpenID Connect errata correction drafts<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Regarding <span style="mso-ligatures:none"><o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Fixed #2026: Clarified description of
loopback hostnames for native applications.<o:p></o:p></p>
</blockquote>
<p>I noticed that in OIDC Core the change was applied to the
implicit flow and the code flow section not changed.<o:p></o:p></p>
<p><a
href="https://bitbucket.org/openid/connect/pull-requests/620"
moz-do-not-send="true" class="moz-txt-link-freetext">https://bitbucket.org/openid/connect/pull-requests/620</a><o:p></o:p></p>
<p><a
href="https://openid.net/specs/openid-connect-core-1_0-33.html#ImplicitAuthRequest"
moz-do-not-send="true" class="moz-txt-link-freetext">https://openid.net/specs/openid-connect-core-1_0-33.html#ImplicitAuthRequest</a><o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">redirect_uri<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">REQUIRED.
Redirection URI to which the response will be sent. This URI
MUST exactly match one of the Redirection URI values for the
Client pre-registered at the OpenID Provider, with the
matching performed as described in Section 6.2.1 of <a
href="https://openid.net/specs/openid-connect-core-1_0-33.html#RFC3986"
moz-do-not-send="true">
[RFC3986]</a> (Simple String Comparison). When using this
flow, the Redirection URI MUST NOT use the
<tt><span style="font-size:10.0pt">http</span></tt> scheme
unless the Client is a native application, in which case it
MAY use the
<tt><span style="font-size:10.0pt">http</span></tt> scheme
with <tt><span style="font-size:10.0pt">localhost</span></tt>
or the IP loopback literals
<tt><span style="font-size:10.0pt">127.0.0.1</span></tt> or
<tt><span style="font-size:10.0pt">[::1]</span></tt> as the
hostname.
<o:p></o:p></p>
</blockquote>
<p><o:p> </o:p></p>
<p>I was expecting that this errata would apply to the code flow
as well, and that the redirect_uri spec here will be aligned
with the updated application_type spec in OIDC Dynamic Client
Registration. I think this is crucial, developers today are
typically concerned with the code flow.<o:p></o:p></p>
<p><o:p> </o:p></p>
<p><a
href="https://openid.net/specs/openid-connect-core-1_0-33.html#AuthRequest"
moz-do-not-send="true" class="moz-txt-link-freetext">https://openid.net/specs/openid-connect-core-1_0-33.html#AuthRequest</a><o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">redirect_uri<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">REQUIRED.
Redirection URI to which the response will be sent. This URI
MUST exactly match one of the Redirection URI values for the
Client pre-registered at the OpenID Provider, with the
matching performed as described in Section 6.2.1 of <a
href="https://openid.net/specs/openid-connect-core-1_0-33.html#RFC3986"
moz-do-not-send="true">
[RFC3986]</a> (Simple String Comparison). When using this
flow, the Redirection URI SHOULD use the
<tt><span style="font-size:10.0pt">https</span></tt> scheme;
however, it MAY use the
<tt><span style="font-size:10.0pt">http</span></tt> scheme,
provided that the Client Type is
<tt><span style="font-size:10.0pt">confidential</span></tt>,
as defined in Section 2.1 of OAuth 2.0, and provided the OP
allows the use of
<tt><span style="font-size:10.0pt">http</span></tt>
Redirection URIs in this case. The Redirection URI MAY use
an alternate scheme, such as one that is intended to
identify a callback into a native application.
<o:p></o:p></p>
</blockquote>
<p><o:p> </o:p></p>
<pre>Vladimir Dzhuvinov<o:p></o:p></pre>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">On 22/10/2023 02:26, Michael Jones via
Openid-specs-ab wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">The 45-day foundation-wide review is now
under way, as announced at
<a
href="https://openid.net/review-second-proposed-errata-openid-connect-specifications/"
moz-do-not-send="true" class="moz-txt-link-freetext">
https://openid.net/review-second-proposed-errata-openid-connect-specifications/</a>
and
<a
href="https://twitter.com/openid/status/1715869175376396543"
moz-do-not-send="true" class="moz-txt-link-freetext">https://twitter.com/openid/status/1715869175376396543</a>.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Thanks to Mike Leszcz for making the blog
post.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">
-- Mike<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="mso-ligatures:none">From:</span></b><span
style="mso-ligatures:none"> Openid-specs-ab
<a
href="mailto:openid-specs-ab-bounces@lists.openid.net"
moz-do-not-send="true"><openid-specs-ab-bounces@lists.openid.net></a>
<b>On Behalf Of </b>Michael Jones via Openid-specs-ab<br>
<b>Sent:</b> Monday, October 2, 2023 6:19 PM<br>
<b>To:</b> <a
href="mailto:openid-specs-ab@lists.openid.net"
moz-do-not-send="true" class="moz-txt-link-freetext">openid-specs-ab@lists.openid.net</a><br>
<b>Cc:</b> Michael Jones <a
href="mailto:michael_b_jones@hotmail.com"
moz-do-not-send="true"><michael_b_jones@hotmail.com></a><br>
<b>Subject:</b> [Openid-specs-ab] WGLC for candidate
OpenID Connect errata correction drafts</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">This note begins a two-week Working Group
Last Call (WGLC) for the candidate errata correction drafts
below. The WGLC concludes as of the working group call on
Monday, October 16.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Please let us know if you believe that
any changes need to be made to these drafts before the
Foundation-wide 45-day review for them. Please identify any
proposed changes by filing issues at
<a
href="https://bitbucket.org/openid/connect/issues?status=new&status=open"
moz-do-not-send="true">https://bitbucket.org/openid/connect/issues?status=new&status=open</a>
marked with the Errata milestone.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">This should put us on track to have
approved errata drafts published by the second week of
December.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">
-- Mike (writing as co-chair)<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="mso-ligatures:none">From:</span></b><span
style="mso-ligatures:none"> Michael Jones
<br>
<b>Sent:</b> Sunday, October 1, 2023 12:26 AM<br>
<b>To:</b> <a
href="mailto:openid-specs-ab@lists.openid.net"
moz-do-not-send="true" class="moz-txt-link-freetext">openid-specs-ab@lists.openid.net</a><br>
<b>Cc:</b> Gail Hodges <<a
href="mailto:gail@oidf.org" moz-do-not-send="true"
class="moz-txt-link-freetext">gail@oidf.org</a>>;
Mike Leszcz <<a href="mailto:mike.leszcz@oidf.org"
moz-do-not-send="true" class="moz-txt-link-freetext">mike.leszcz@oidf.org</a>><br>
<b>Subject:</b> Second candidate OpenID Connect errata
correction drafts published</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I’ve published drafts incorporating all
the additional errata corrections that have been approved
for the OpenID Connect family of specifications since the
first set of candidate drafts were published on August 13<sup>th</sup>.
This puts us on the doorstep of publishing our second errata
set for OpenID Connect and for submission to ISO as Publicly
Available Specification (PAS) standards.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">The drafts incorporating the errata
corrections are:<o:p></o:p></p>
<ol style="margin-top:0in" type="1" start="1">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level1 lfo3"><a
href="https://openid.net/specs/openid-connect-core-1_0-33.html"
moz-do-not-send="true" class="moz-txt-link-freetext">https://openid.net/specs/openid-connect-core-1_0-33.html</a><o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level1 lfo3"><a
href="https://openid.net/specs/openid-connect-discovery-1_0-36.html"
moz-do-not-send="true" class="moz-txt-link-freetext">https://openid.net/specs/openid-connect-discovery-1_0-36.html</a><o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level1 lfo3"><a
href="https://openid.net/specs/openid-connect-registration-1_0-38.html"
moz-do-not-send="true" class="moz-txt-link-freetext">https://openid.net/specs/openid-connect-registration-1_0-38.html</a><o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level1 lfo3"><a
href="https://openid.net/specs/openid-connect-backchannel-1_0-12.html"
moz-do-not-send="true" class="moz-txt-link-freetext">https://openid.net/specs/openid-connect-backchannel-1_0-12.html</a><o:p></o:p></li>
</ol>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">The History sections of the specs
describe each of the changes made. If you want to see the
precise changes incorporated, I suggest using your favorite
HTML-capable diff tool (such as Microsoft Word) and
comparing the baseline docs below to the ones above:<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<ol style="margin-top:0in" type="1" start="1">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l4 level1 lfo6"><a
href="https://openid.net/specs/openid-connect-core-1_0-errata1.html"
moz-do-not-send="true" class="moz-txt-link-freetext">https://openid.net/specs/openid-connect-core-1_0-errata1.html</a><o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l4 level1 lfo6"><a
href="https://openid.net/specs/openid-connect-discovery-1_0-errata1.html"
moz-do-not-send="true" class="moz-txt-link-freetext">https://openid.net/specs/openid-connect-discovery-1_0-errata1.html</a><o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l4 level1 lfo6"><a
href="https://openid.net/specs/openid-connect-registration-1_0-errata1.html"
moz-do-not-send="true" class="moz-txt-link-freetext">https://openid.net/specs/openid-connect-registration-1_0-errata1.html</a><o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l4 level1 lfo6"><a
href="https://openid.net/specs/openid-connect-backchannel-1_0-final.html"
moz-do-not-send="true" class="moz-txt-link-freetext">https://openid.net/specs/openid-connect-backchannel-1_0-final.html</a><o:p></o:p></li>
</ol>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Diffs are also possible for the .txt and
.xml versions of the specs; just substitute “html” in the
URLs above for “txt” or “xml” and use your favorite diff
tool.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I plan to ask for working group review of
these changes during Monday’s working group call. Following
the working group review, we’ll hold the foundation-wide
45-day proposed errata review and then the approval vote.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">
-- Mike<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">P.S. Our two Implementer’s Guides were
also updated in parallel to keep them current with the
versions incorporating errata corrections. The
corresponding versions are:<o:p></o:p></p>
<ol style="margin-top:0in" type="1" start="1">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l3 level1 lfo9"><a
href="https://openid.net/specs/openid-connect-basic-1_0-45.html"
moz-do-not-send="true" class="moz-txt-link-freetext">https://openid.net/specs/openid-connect-basic-1_0-45.html</a><o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l3 level1 lfo9"><a
href="https://openid.net/specs/openid-connect-implicit-1_0-28.html"
moz-do-not-send="true" class="moz-txt-link-freetext">https://openid.net/specs/openid-connect-implicit-1_0-28.html</a><o:p></o:p></li>
</ol>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="mso-ligatures:none"><br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Openid-specs-ab mailing list<o:p></o:p></pre>
<pre><a href="mailto:Openid-specs-ab@lists.openid.net"
moz-do-not-send="true" class="moz-txt-link-freetext">Openid-specs-ab@lists.openid.net</a><o:p></o:p></pre>
<pre><a
href="https://lists.openid.net/mailman/listinfo/openid-specs-ab"
moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></pre>
</blockquote>
</div>
</blockquote>
</body>
</html>