[Openid-specs-fapi] Issue #833: Use of non-standard port numbers for https (openid/fapi)

[josephheenan]

New issue 833: Use of non-standard port numbers for https
https://bitbucket.org/openid/fapi/issues/833/use-of-non-standard-port-numbers-for-https

Joseph Heenan:

An interoperability issue was raised with the conformance team where an OP was hosting their MTLS-requiring endpoints on port 8443 \(whereas there non-MTLS endpoints / discovery doc were on the usual port 443. An certified RP failed to work with the server as the RP’s outgoing firewall only allowed port 443.

By way of background:

1. The OP conformance suite is currently quite happy to allow the use of non-standard port numbers.
2. The RP conformance suite uses only standard port numbers
3. I’m not aware of any clauses in FAPI or the other standards that prevent the use non-standard port numbers.
4. My general impression is that at a minimum the overwhelming majority of live ASes use only port 443

I think we could potentially add a warning in the OP tests when we find non-standard port numbers in use \(feedback on whether this is a good idea or not would be appreciated\), but I’m not sure if there’s anything else we could/should do? Feedback from WG members would be most welcome.