<div dir="ltr">Thanks. You can still file these comments during the public review period. </div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 27 Oct 2023 at 02:41, Tom Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"> In general I like this wording. <div><br></div><div>Sorry I don't have the time to check, but it needs to be clear that url matching includes the port number.</div><div><br clear="all"><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><span style="background-color:rgb(242,242,242);color:rgba(0,0,0,0.9);font-family:-apple-system,system-ui,system-ui,"Segoe UI",Roboto,"Helvetica Neue","Fira Sans",Ubuntu,Oxygen,"Oxygen Sans",Cantarell,"Droid Sans","Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Lucida Grande",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap"> </span>..tom</div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Oct 26, 2023 at 10:32 AM Michael Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
<div lang="EN-US">
<div>
<p class="MsoNormal">Looking at this again, I now believe that the right addition is:<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">redirect_uri<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:0.5in">REQUIRED. Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described
in Section 6.2.1 of <a href="https://openid.net/specs/openid-connect-core-1_0-33.html#RFC3986" target="_blank">
[RFC3986]</a> (Simple String Comparison). When using this flow, the Redirection URI SHOULD use the
<tt><span style="font-size:10pt">https</span></tt> scheme; however, it MAY use the
<tt><span style="font-size:10pt">http</span></tt> scheme, provided that the Client Type is
<tt><span style="font-size:10pt">confidential</span></tt>, as defined in Section 2.1 of OAuth 2.0, and provided the OP allows the use of
<tt><span style="font-size:10pt">http</span></tt> Redirection URIs in this case.
<span style="color:rgb(0,176,80)">Also, if the Client is a native application, it MAY use the
</span><tt><span style="font-size:10pt;color:rgb(0,176,80)">http</span></tt><span style="color:rgb(0,176,80)"> scheme with
</span><tt><span style="font-size:10pt;color:rgb(0,176,80)">localhost</span></tt><span style="color:rgb(0,176,80)"> or the IP loopback literals
</span><tt><span style="font-size:10pt;color:rgb(0,176,80)">127.0.0.1</span></tt><span style="color:rgb(0,176,80)"> or
</span><tt><span style="font-size:10pt;color:rgb(0,176,80)">[::1]</span></tt><span style="color:rgb(0,176,80)"> as the hostname.</span> The Redirection URI MAY use an alternate scheme, such as one that is intended to identify a callback into a native application.
<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Please confirm.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"> -- Mike<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(225,225,225);padding:3pt 0in 0in">
<p class="MsoNormal"><b><span>From:</span></b><span> Vladimir Dzhuvinov <<a href="mailto:vladimir@connect2id.com" target="_blank">vladimir@connect2id.com</a>>
<br>
<b>Sent:</b> Thursday, October 26, 2023 8:00 AM<br>
<b>To:</b> Michael Jones <<a href="mailto:michael_b_jones@hotmail.com" target="_blank">michael_b_jones@hotmail.com</a>>; Artifact Binding/Connect Working Group <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>><br>
<b>Subject:</b> Re: [Openid-specs-ab] WGLC for candidate OpenID Connect errata correction drafts<u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<p>Thanks Mike. This change should do it to align the OIDC code flow redirect_uri with the rest of the updated specs.<u></u><u></u></p>
<pre>Vladimir Dzhuvinov<u></u><u></u></pre>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">On 26/10/2023 17:38, Michael Jones wrote:<u></u><u></u></p>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<p style="margin:0in">Thanks for catching this, Vladimir.<u></u><u></u></p>
<p style="margin:0in"> <u></u><u></u></p>
<p style="margin:0in">Is this the kind of wording you were looking for at <a href="https://openid.net/specs/openid-connect-core-1_0-33.html#AuthRequest" target="_blank">
https://openid.net/specs/openid-connect-core-1_0-33.html#AuthRequest</a> ?<u></u><u></u></p>
<p style="margin:0in"> <u></u><u></u></p>
<p class="MsoNormal">redirect_uri<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:0.5in">REQUIRED. Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described
in Section 6.2.1 of <a href="https://openid.net/specs/openid-connect-core-1_0-33.html#RFC3986" target="_blank">
[RFC3986]</a> (Simple String Comparison). When using this flow, the Redirection URI SHOULD use the
<tt><span style="font-size:10pt">https</span></tt> scheme; however, it MAY use the
<tt><span style="font-size:10pt">http</span></tt> scheme, provided that the Client Type is
<tt><span style="font-size:10pt">confidential</span></tt>, as defined in Section 2.1 of OAuth 2.0, and provided the OP allows the use of
<tt><span style="font-size:10pt">http</span></tt> Redirection URIs in this case.
<span style="color:red">It MAY also use the </span><tt><span style="font-size:10pt;color:red">http</span></tt><span style="color:red"> scheme with
</span><tt><span style="font-size:10pt;color:red">localhost</span></tt><span style="color:red"> or the IP loopback literals
</span><tt><span style="font-size:10pt;color:red">127.0.0.1</span></tt><span style="color:red"> or
</span><tt><span style="font-size:10pt;color:red">[::1]</span></tt><span style="color:red"> as the hostname.</span> The Redirection URI MAY use an alternate scheme, such as one that is intended to identify a callback into a native application.
<u></u><u></u></p>
<p style="margin:0in"> <u></u><u></u></p>
<p class="MsoNormal"> -- Mike<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(225,225,225);padding:3pt 0in 0in">
<p class="MsoNormal"><b><span>From:</span></b><span> Openid-specs-ab
<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank"><openid-specs-ab-bounces@lists.openid.net></a>
<b>On Behalf Of </b>Vladimir Dzhuvinov via Openid-specs-ab<br>
<b>Sent:</b> Thursday, October 26, 2023 4:10 AM<br>
<b>To:</b> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a><br>
<b>Cc:</b> Vladimir Dzhuvinov <a href="mailto:vladimir@connect2id.com" target="_blank"><vladimir@connect2id.com></a><br>
<b>Subject:</b> Re: [Openid-specs-ab] WGLC for candidate OpenID Connect errata correction drafts</span><u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
<p>Regarding <u></u><u></u></p>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<p class="MsoNormal">Fixed #2026: Clarified description of loopback hostnames for native applications.<u></u><u></u></p>
</blockquote>
<p>I noticed that in OIDC Core the change was applied to the implicit flow and the code flow section not changed.<u></u><u></u></p>
<p><a href="https://bitbucket.org/openid/connect/pull-requests/620" target="_blank">https://bitbucket.org/openid/connect/pull-requests/620</a><u></u><u></u></p>
<p><a href="https://openid.net/specs/openid-connect-core-1_0-33.html#ImplicitAuthRequest" target="_blank">https://openid.net/specs/openid-connect-core-1_0-33.html#ImplicitAuthRequest</a><u></u><u></u></p>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<p class="MsoNormal">redirect_uri<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:0.5in">REQUIRED. Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described
in Section 6.2.1 of <a href="https://openid.net/specs/openid-connect-core-1_0-33.html#RFC3986" target="_blank">
[RFC3986]</a> (Simple String Comparison). When using this flow, the Redirection URI MUST NOT use the
<tt><span style="font-size:10pt">http</span></tt> scheme unless the Client is a native application, in which case it MAY use the
<tt><span style="font-size:10pt">http</span></tt> scheme with <tt><span style="font-size:10pt">localhost</span></tt> or the IP loopback literals
<tt><span style="font-size:10pt">127.0.0.1</span></tt> or <tt><span style="font-size:10pt">[::1]</span></tt> as the hostname.
<u></u><u></u></p>
</blockquote>
<p> <u></u><u></u></p>
<p>I was expecting that this errata would apply to the code flow as well, and that the redirect_uri spec here will be aligned with the updated application_type spec in OIDC Dynamic Client Registration. I think this is crucial, developers today are typically
concerned with the code flow.<u></u><u></u></p>
<p> <u></u><u></u></p>
<p><a href="https://openid.net/specs/openid-connect-core-1_0-33.html#AuthRequest" target="_blank">https://openid.net/specs/openid-connect-core-1_0-33.html#AuthRequest</a><u></u><u></u></p>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<p class="MsoNormal">redirect_uri<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:0.5in">REQUIRED. Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described
in Section 6.2.1 of <a href="https://openid.net/specs/openid-connect-core-1_0-33.html#RFC3986" target="_blank">
[RFC3986]</a> (Simple String Comparison). When using this flow, the Redirection URI SHOULD use the
<tt><span style="font-size:10pt">https</span></tt> scheme; however, it MAY use the
<tt><span style="font-size:10pt">http</span></tt> scheme, provided that the Client Type is
<tt><span style="font-size:10pt">confidential</span></tt>, as defined in Section 2.1 of OAuth 2.0, and provided the OP allows the use of
<tt><span style="font-size:10pt">http</span></tt> Redirection URIs in this case. The Redirection URI MAY use an alternate scheme, such as one that is intended to identify a callback into a native application.
<u></u><u></u></p>
</blockquote>
<p> <u></u><u></u></p>
<pre>Vladimir Dzhuvinov<u></u><u></u></pre>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">On 22/10/2023 02:26, Michael Jones via Openid-specs-ab wrote:<u></u><u></u></p>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<p class="MsoNormal">The 45-day foundation-wide review is now under way, as announced at
<a href="https://openid.net/review-second-proposed-errata-openid-connect-specifications/" target="_blank">
https://openid.net/review-second-proposed-errata-openid-connect-specifications/</a> and
<a href="https://twitter.com/openid/status/1715869175376396543" target="_blank">https://twitter.com/openid/status/1715869175376396543</a>.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Thanks to Mike Leszcz for making the blog post.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"> -- Mike<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(225,225,225);padding:3pt 0in 0in">
<p class="MsoNormal"><b><span>From:</span></b><span> Openid-specs-ab
<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank"><openid-specs-ab-bounces@lists.openid.net></a>
<b>On Behalf Of </b>Michael Jones via Openid-specs-ab<br>
<b>Sent:</b> Monday, October 2, 2023 6:19 PM<br>
<b>To:</b> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a><br>
<b>Cc:</b> Michael Jones <a href="mailto:michael_b_jones@hotmail.com" target="_blank"><michael_b_jones@hotmail.com></a><br>
<b>Subject:</b> [Openid-specs-ab] WGLC for candidate OpenID Connect errata correction drafts</span><u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">This note begins a two-week Working Group Last Call (WGLC) for the candidate errata correction drafts below. The WGLC concludes as of the working group call on Monday, October 16.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Please let us know if you believe that any changes need to be made to these drafts before the Foundation-wide 45-day review for them. Please identify any proposed changes by filing issues at
<a href="https://bitbucket.org/openid/connect/issues?status=new&status=open" target="_blank">https://bitbucket.org/openid/connect/issues?status=new&status=open</a> marked with the Errata milestone.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">This should put us on track to have approved errata drafts published by the second week of December.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"> -- Mike (writing as co-chair)<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(225,225,225);padding:3pt 0in 0in">
<p class="MsoNormal"><b><span>From:</span></b><span> Michael Jones
<br>
<b>Sent:</b> Sunday, October 1, 2023 12:26 AM<br>
<b>To:</b> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a><br>
<b>Cc:</b> Gail Hodges <<a href="mailto:gail@oidf.org" target="_blank">gail@oidf.org</a>>; Mike Leszcz <<a href="mailto:mike.leszcz@oidf.org" target="_blank">mike.leszcz@oidf.org</a>><br>
<b>Subject:</b> Second candidate OpenID Connect errata correction drafts published</span><u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">I’ve published drafts incorporating all the additional errata corrections that have been approved for the OpenID Connect family of specifications since the first set of candidate drafts were published on August 13<sup>th</sup>. This puts
us on the doorstep of publishing our second errata set for OpenID Connect and for submission to ISO as Publicly Available Specification (PAS) standards.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">The drafts incorporating the errata corrections are:<u></u><u></u></p>
<ol style="margin-top:0in" start="1" type="1">
<li style="margin-left:0in"><a href="https://openid.net/specs/openid-connect-core-1_0-33.html" target="_blank">https://openid.net/specs/openid-connect-core-1_0-33.html</a><u></u><u></u></li><li style="margin-left:0in"><a href="https://openid.net/specs/openid-connect-discovery-1_0-36.html" target="_blank">https://openid.net/specs/openid-connect-discovery-1_0-36.html</a><u></u><u></u></li><li style="margin-left:0in"><a href="https://openid.net/specs/openid-connect-registration-1_0-38.html" target="_blank">https://openid.net/specs/openid-connect-registration-1_0-38.html</a><u></u><u></u></li><li style="margin-left:0in"><a href="https://openid.net/specs/openid-connect-backchannel-1_0-12.html" target="_blank">https://openid.net/specs/openid-connect-backchannel-1_0-12.html</a><u></u><u></u></li></ol>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">The History sections of the specs describe each of the changes made. If you want to see the precise changes incorporated, I suggest using your favorite HTML-capable diff tool (such as Microsoft Word) and comparing the baseline docs below
to the ones above:<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<ol style="margin-top:0in" start="1" type="1">
<li style="margin-left:0in"><a href="https://openid.net/specs/openid-connect-core-1_0-errata1.html" target="_blank">https://openid.net/specs/openid-connect-core-1_0-errata1.html</a><u></u><u></u></li><li style="margin-left:0in"><a href="https://openid.net/specs/openid-connect-discovery-1_0-errata1.html" target="_blank">https://openid.net/specs/openid-connect-discovery-1_0-errata1.html</a><u></u><u></u></li><li style="margin-left:0in"><a href="https://openid.net/specs/openid-connect-registration-1_0-errata1.html" target="_blank">https://openid.net/specs/openid-connect-registration-1_0-errata1.html</a><u></u><u></u></li><li style="margin-left:0in"><a href="https://openid.net/specs/openid-connect-backchannel-1_0-final.html" target="_blank">https://openid.net/specs/openid-connect-backchannel-1_0-final.html</a><u></u><u></u></li></ol>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Diffs are also possible for the .txt and .xml versions of the specs; just substitute “html” in the URLs above for “txt” or “xml” and use your favorite diff tool.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">I plan to ask for working group review of these changes during Monday’s working group call. Following the working group review, we’ll hold the foundation-wide 45-day proposed errata review and then the approval vote.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"> -- Mike<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">P.S. Our two Implementer’s Guides were also updated in parallel to keep them current with the versions incorporating errata corrections. The corresponding versions are:<u></u><u></u></p>
<ol style="margin-top:0in" start="1" type="1">
<li style="margin-left:0in"><a href="https://openid.net/specs/openid-connect-basic-1_0-45.html" target="_blank">https://openid.net/specs/openid-connect-basic-1_0-45.html</a><u></u><u></u></li><li style="margin-left:0in"><a href="https://openid.net/specs/openid-connect-implicit-1_0-28.html" target="_blank">https://openid.net/specs/openid-connect-implicit-1_0-28.html</a><u></u><u></u></li></ol>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><span><br>
<br>
<br>
</span><u></u><u></u></p>
<pre>_______________________________________________<u></u><u></u></pre>
<pre>Openid-specs-ab mailing list<u></u><u></u></pre>
<pre><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><u></u><u></u></pre>
<pre><a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><u></u><u></u></pre>
</blockquote>
</blockquote>
</div>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</div></blockquote></div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>