<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>The URLs are compared as simple strings. If a port is given it is
naturally included.</p>
<p><a class="moz-txt-link-freetext" href="https://www.rfc-editor.org/rfc/rfc3986.html#section-6.2.1">https://www.rfc-editor.org/rfc/rfc3986.html#section-6.2.1</a><br>
</p>
<pre class="moz-signature" cols="72">Vladimir Dzhuvinov</pre>
<div class="moz-cite-prefix">On 26/10/2023 20:41, Tom Jones wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAK2Cwb7VqNcfh8oki=gCS7-efQRJv0A1dUpep0jjqVKH=sS=Gw@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr"> In general I like this wording.
<div><br>
</div>
<div>Sorry I don't have the time to check, but it needs to be
clear that url matching includes the port number.</div>
<div><br clear="all">
<div>
<div dir="ltr" class="gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div><span
style="background-color:rgb(242,242,242);color:rgba(0,0,0,0.9);font-family:-apple-system,system-ui,system-ui,"Segoe UI",Roboto,"Helvetica Neue","Fira Sans",Ubuntu,Oxygen,"Oxygen Sans",Cantarell,"Droid Sans","Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Lucida Grande",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap"> </span>..tom</div>
</div>
</div>
</div>
<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Oct 26, 2023 at
10:32 AM Michael Jones via Openid-specs-ab <<a
href="mailto:openid-specs-ab@lists.openid.net"
moz-do-not-send="true" class="moz-txt-link-freetext">openid-specs-ab@lists.openid.net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div class="msg4702935023171537033">
<div style="overflow-wrap: break-word;" lang="EN-US">
<div class="m_4702935023171537033WordSection1">
<p class="MsoNormal">Looking at this again, I now
believe that the right addition is:</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">redirect_uri</p>
<p class="MsoNormal" style="margin-left:0.5in">REQUIRED.
Redirection URI to which the response will be sent.
This URI MUST exactly match one of the Redirection URI
values for the Client pre-registered at the OpenID
Provider, with the matching performed as described in
Section 6.2.1 of <a
href="https://openid.net/specs/openid-connect-core-1_0-33.html#RFC3986"
target="_blank" moz-do-not-send="true">
[RFC3986]</a> (Simple String Comparison). When using
this flow, the Redirection URI SHOULD use the
<tt><span style="font-size:10pt">https</span></tt>
scheme; however, it MAY use the
<tt><span style="font-size:10pt">http</span></tt>
scheme, provided that the Client Type is
<tt><span style="font-size:10pt">confidential</span></tt>,
as defined in Section 2.1 of OAuth 2.0, and provided
the OP allows the use of
<tt><span style="font-size:10pt">http</span></tt>
Redirection URIs in this case.
<span style="color:rgb(0,176,80)">Also, if the Client
is a native application, it MAY use the
</span><tt><span
style="font-size:10pt;color:rgb(0,176,80)">http</span></tt><span
style="color:rgb(0,176,80)"> scheme with
</span><tt><span
style="font-size:10pt;color:rgb(0,176,80)">localhost</span></tt><span
style="color:rgb(0,176,80)"> or the IP loopback
literals
</span><tt><span
style="font-size:10pt;color:rgb(0,176,80)">127.0.0.1</span></tt><span
style="color:rgb(0,176,80)"> or
</span><tt><span
style="font-size:10pt;color:rgb(0,176,80)">[::1]</span></tt><span
style="color:rgb(0,176,80)"> as the hostname.</span>
The Redirection URI MAY use an alternate scheme, such
as one that is intended to identify a callback into a
native application.
</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Please confirm.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">
-- Mike</p>
<p class="MsoNormal"> </p>
<div>
<div
style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(225,225,225);padding:3pt 0in 0in">
<p class="MsoNormal"><b><span>From:</span></b><span>
Vladimir Dzhuvinov <<a
href="mailto:vladimir@connect2id.com"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">vladimir@connect2id.com</a>>
<br>
<b>Sent:</b> Thursday, October 26, 2023 8:00 AM<br>
<b>To:</b> Michael Jones <<a
href="mailto:michael_b_jones@hotmail.com"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">michael_b_jones@hotmail.com</a>>;
Artifact Binding/Connect Working Group <<a
href="mailto:openid-specs-ab@lists.openid.net"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">openid-specs-ab@lists.openid.net</a>><br>
<b>Subject:</b> Re: [Openid-specs-ab] WGLC for
candidate OpenID Connect errata correction
drafts</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<p>Thanks Mike. This change should do it to align the
OIDC code flow redirect_uri with the rest of the
updated specs.</p>
<pre>Vladimir Dzhuvinov</pre>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">On 26/10/2023 17:38, Michael
Jones wrote:</p>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<p style="margin:0in">Thanks for catching this,
Vladimir.</p>
<p style="margin:0in"> </p>
<p style="margin:0in">Is this the kind of wording you
were looking for at <a
href="https://openid.net/specs/openid-connect-core-1_0-33.html#AuthRequest"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">
https://openid.net/specs/openid-connect-core-1_0-33.html#AuthRequest</a>
?</p>
<p style="margin:0in"> </p>
<p class="MsoNormal">redirect_uri</p>
<p class="MsoNormal" style="margin-left:0.5in">REQUIRED.
Redirection URI to which the response will be sent.
This URI MUST exactly match one of the Redirection
URI values for the Client pre-registered at the
OpenID Provider, with the matching performed as
described in Section 6.2.1 of <a
href="https://openid.net/specs/openid-connect-core-1_0-33.html#RFC3986"
target="_blank" moz-do-not-send="true">
[RFC3986]</a> (Simple String Comparison). When
using this flow, the Redirection URI SHOULD use the
<tt><span style="font-size:10pt">https</span></tt>
scheme; however, it MAY use the
<tt><span style="font-size:10pt">http</span></tt>
scheme, provided that the Client Type is
<tt><span style="font-size:10pt">confidential</span></tt>,
as defined in Section 2.1 of OAuth 2.0, and provided
the OP allows the use of
<tt><span style="font-size:10pt">http</span></tt>
Redirection URIs in this case.
<span style="color:red">It MAY also use the </span><tt><span
style="font-size:10pt;color:red">http</span></tt><span
style="color:red"> scheme with
</span><tt><span style="font-size:10pt;color:red">localhost</span></tt><span
style="color:red"> or the IP loopback literals
</span><tt><span style="font-size:10pt;color:red">127.0.0.1</span></tt><span
style="color:red"> or
</span><tt><span style="font-size:10pt;color:red">[::1]</span></tt><span
style="color:red"> as the hostname.</span> The
Redirection URI MAY use an alternate scheme, such as
one that is intended to identify a callback into a
native application.
</p>
<p style="margin:0in"> </p>
<p class="MsoNormal">
-- Mike</p>
<p class="MsoNormal"> </p>
<div>
<div
style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(225,225,225);padding:3pt 0in 0in">
<p class="MsoNormal"><b><span>From:</span></b><span>
Openid-specs-ab
<a
href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank"
moz-do-not-send="true"><openid-specs-ab-bounces@lists.openid.net></a>
<b>On Behalf Of </b>Vladimir Dzhuvinov via
Openid-specs-ab<br>
<b>Sent:</b> Thursday, October 26, 2023 4:10
AM<br>
<b>To:</b> <a
href="mailto:openid-specs-ab@lists.openid.net" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">openid-specs-ab@lists.openid.net</a><br>
<b>Cc:</b> Vladimir Dzhuvinov <a
href="mailto:vladimir@connect2id.com"
target="_blank" moz-do-not-send="true"><vladimir@connect2id.com></a><br>
<b>Subject:</b> Re: [Openid-specs-ab] WGLC for
candidate OpenID Connect errata correction
drafts</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<p>Regarding </p>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<p class="MsoNormal">Fixed #2026: Clarified
description of loopback hostnames for native
applications.</p>
</blockquote>
<p>I noticed that in OIDC Core the change was applied
to the implicit flow and the code flow section not
changed.</p>
<p><a
href="https://bitbucket.org/openid/connect/pull-requests/620"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://bitbucket.org/openid/connect/pull-requests/620</a></p>
<p><a
href="https://openid.net/specs/openid-connect-core-1_0-33.html#ImplicitAuthRequest"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://openid.net/specs/openid-connect-core-1_0-33.html#ImplicitAuthRequest</a></p>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<p class="MsoNormal">redirect_uri</p>
<p class="MsoNormal" style="margin-left:0.5in">REQUIRED.
Redirection URI to which the response will be
sent. This URI MUST exactly match one of the
Redirection URI values for the Client
pre-registered at the OpenID Provider, with the
matching performed as described in Section 6.2.1
of <a
href="https://openid.net/specs/openid-connect-core-1_0-33.html#RFC3986"
target="_blank" moz-do-not-send="true">
[RFC3986]</a> (Simple String Comparison). When
using this flow, the Redirection URI MUST NOT use
the
<tt><span style="font-size:10pt">http</span></tt>
scheme unless the Client is a native application,
in which case it MAY use the
<tt><span style="font-size:10pt">http</span></tt>
scheme with <tt><span style="font-size:10pt">localhost</span></tt>
or the IP loopback literals
<tt><span style="font-size:10pt">127.0.0.1</span></tt>
or <tt><span style="font-size:10pt">[::1]</span></tt>
as the hostname.
</p>
</blockquote>
<p> </p>
<p>I was expecting that this errata would apply to the
code flow as well, and that the redirect_uri spec
here will be aligned with the updated
application_type spec in OIDC Dynamic Client
Registration. I think this is crucial, developers
today are typically concerned with the code flow.</p>
<p> </p>
<p><a
href="https://openid.net/specs/openid-connect-core-1_0-33.html#AuthRequest"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://openid.net/specs/openid-connect-core-1_0-33.html#AuthRequest</a></p>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<p class="MsoNormal">redirect_uri</p>
<p class="MsoNormal" style="margin-left:0.5in">REQUIRED.
Redirection URI to which the response will be
sent. This URI MUST exactly match one of the
Redirection URI values for the Client
pre-registered at the OpenID Provider, with the
matching performed as described in Section 6.2.1
of <a
href="https://openid.net/specs/openid-connect-core-1_0-33.html#RFC3986"
target="_blank" moz-do-not-send="true">
[RFC3986]</a> (Simple String Comparison). When
using this flow, the Redirection URI SHOULD use
the
<tt><span style="font-size:10pt">https</span></tt>
scheme; however, it MAY use the
<tt><span style="font-size:10pt">http</span></tt>
scheme, provided that the Client Type is
<tt><span style="font-size:10pt">confidential</span></tt>,
as defined in Section 2.1 of OAuth 2.0, and
provided the OP allows the use of
<tt><span style="font-size:10pt">http</span></tt>
Redirection URIs in this case. The Redirection URI
MAY use an alternate scheme, such as one that is
intended to identify a callback into a native
application.
</p>
</blockquote>
<p> </p>
<pre>Vladimir Dzhuvinov</pre>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">On 22/10/2023 02:26, Michael
Jones via Openid-specs-ab wrote:</p>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<p class="MsoNormal">The 45-day foundation-wide
review is now under way, as announced at
<a
href="https://openid.net/review-second-proposed-errata-openid-connect-specifications/"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">
https://openid.net/review-second-proposed-errata-openid-connect-specifications/</a>
and
<a
href="https://twitter.com/openid/status/1715869175376396543"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://twitter.com/openid/status/1715869175376396543</a>.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Thanks to Mike Leszcz for
making the blog post.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">
-- Mike</p>
<p class="MsoNormal"> </p>
<div>
<div
style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(225,225,225);padding:3pt 0in 0in">
<p class="MsoNormal"><b><span>From:</span></b><span>
Openid-specs-ab
<a
href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank"
moz-do-not-send="true"><openid-specs-ab-bounces@lists.openid.net></a>
<b>On Behalf Of </b>Michael Jones via
Openid-specs-ab<br>
<b>Sent:</b> Monday, October 2, 2023 6:19 PM<br>
<b>To:</b> <a
href="mailto:openid-specs-ab@lists.openid.net" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">openid-specs-ab@lists.openid.net</a><br>
<b>Cc:</b> Michael Jones <a
href="mailto:michael_b_jones@hotmail.com"
target="_blank" moz-do-not-send="true"><michael_b_jones@hotmail.com></a><br>
<b>Subject:</b> [Openid-specs-ab] WGLC for
candidate OpenID Connect errata correction
drafts</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<p class="MsoNormal">This note begins a two-week
Working Group Last Call (WGLC) for the candidate
errata correction drafts below. The WGLC
concludes as of the working group call on Monday,
October 16.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Please let us know if you
believe that any changes need to be made to these
drafts before the Foundation-wide 45-day review
for them. Please identify any proposed changes by
filing issues at
<a
href="https://bitbucket.org/openid/connect/issues?status=new&status=open"
target="_blank" moz-do-not-send="true">https://bitbucket.org/openid/connect/issues?status=new&status=open</a>
marked with the Errata milestone.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">This should put us on track to
have approved errata drafts published by the
second week of December.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">
-- Mike (writing as co-chair)</p>
<p class="MsoNormal"> </p>
<div>
<div
style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(225,225,225);padding:3pt 0in 0in">
<p class="MsoNormal"><b><span>From:</span></b><span>
Michael Jones
<br>
<b>Sent:</b> Sunday, October 1, 2023 12:26
AM<br>
<b>To:</b> <a
href="mailto:openid-specs-ab@lists.openid.net" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">openid-specs-ab@lists.openid.net</a><br>
<b>Cc:</b> Gail Hodges <<a
href="mailto:gail@oidf.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">gail@oidf.org</a>>;
Mike Leszcz <<a
href="mailto:mike.leszcz@oidf.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">mike.leszcz@oidf.org</a>><br>
<b>Subject:</b> Second candidate OpenID
Connect errata correction drafts published</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I’ve published drafts
incorporating all the additional errata
corrections that have been approved for the OpenID
Connect family of specifications since the first
set of candidate drafts were published on August
13<sup>th</sup>. This puts us on the doorstep of
publishing our second errata set for OpenID
Connect and for submission to ISO as Publicly
Available Specification (PAS) standards.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">The drafts incorporating the
errata corrections are:</p>
<ol style="margin-top:0in" type="1" start="1">
<li class="m_4702935023171537033MsoListParagraph"
style="margin-left:0in"><a
href="https://openid.net/specs/openid-connect-core-1_0-33.html"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://openid.net/specs/openid-connect-core-1_0-33.html</a></li>
<li class="m_4702935023171537033MsoListParagraph"
style="margin-left:0in"><a
href="https://openid.net/specs/openid-connect-discovery-1_0-36.html"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://openid.net/specs/openid-connect-discovery-1_0-36.html</a></li>
<li class="m_4702935023171537033MsoListParagraph"
style="margin-left:0in"><a
href="https://openid.net/specs/openid-connect-registration-1_0-38.html"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://openid.net/specs/openid-connect-registration-1_0-38.html</a></li>
<li class="m_4702935023171537033MsoListParagraph"
style="margin-left:0in"><a
href="https://openid.net/specs/openid-connect-backchannel-1_0-12.html"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://openid.net/specs/openid-connect-backchannel-1_0-12.html</a></li>
</ol>
<p class="MsoNormal"> </p>
<p class="MsoNormal">The History sections of the
specs describe each of the changes made. If you
want to see the precise changes incorporated, I
suggest using your favorite HTML-capable diff tool
(such as Microsoft Word) and comparing the
baseline docs below to the ones above:</p>
<p class="MsoNormal"> </p>
<ol style="margin-top:0in" type="1" start="1">
<li class="m_4702935023171537033MsoListParagraph"
style="margin-left:0in"><a
href="https://openid.net/specs/openid-connect-core-1_0-errata1.html"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://openid.net/specs/openid-connect-core-1_0-errata1.html</a></li>
<li class="m_4702935023171537033MsoListParagraph"
style="margin-left:0in"><a
href="https://openid.net/specs/openid-connect-discovery-1_0-errata1.html"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://openid.net/specs/openid-connect-discovery-1_0-errata1.html</a></li>
<li class="m_4702935023171537033MsoListParagraph"
style="margin-left:0in"><a
href="https://openid.net/specs/openid-connect-registration-1_0-errata1.html"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://openid.net/specs/openid-connect-registration-1_0-errata1.html</a></li>
<li class="m_4702935023171537033MsoListParagraph"
style="margin-left:0in"><a
href="https://openid.net/specs/openid-connect-backchannel-1_0-final.html"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://openid.net/specs/openid-connect-backchannel-1_0-final.html</a></li>
</ol>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Diffs are also possible for the
.txt and .xml versions of the specs; just
substitute “html” in the URLs above for “txt” or
“xml” and use your favorite diff tool.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I plan to ask for working group
review of these changes during Monday’s working
group call. Following the working group review,
we’ll hold the foundation-wide 45-day proposed
errata review and then the approval vote.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">
-- Mike</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">P.S. Our two Implementer’s
Guides were also updated in parallel to keep them
current with the versions incorporating errata
corrections. The corresponding versions are:</p>
<ol style="margin-top:0in" type="1" start="1">
<li class="m_4702935023171537033MsoListParagraph"
style="margin-left:0in"><a
href="https://openid.net/specs/openid-connect-basic-1_0-45.html"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://openid.net/specs/openid-connect-basic-1_0-45.html</a></li>
<li class="m_4702935023171537033MsoListParagraph"
style="margin-left:0in"><a
href="https://openid.net/specs/openid-connect-implicit-1_0-28.html"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://openid.net/specs/openid-connect-implicit-1_0-28.html</a></li>
</ol>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span><br>
<br>
<br>
</span></p>
<pre>_______________________________________________</pre>
<pre>Openid-specs-ab mailing list</pre>
<pre><a
href="mailto:Openid-specs-ab@lists.openid.net"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">Openid-specs-ab@lists.openid.net</a></pre>
<pre><a
href="https://lists.openid.net/mailman/listinfo/openid-specs-ab"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a></pre>
</blockquote>
</blockquote>
</div>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">Openid-specs-ab@lists.openid.net</a><br>
<a
href="https://lists.openid.net/mailman/listinfo/openid-specs-ab"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</div>
</blockquote>
</div>
</blockquote>
</body>
</html>