search

oauth-wg / oauth-v2-1

OAuth 2.1 is a consolidation of the core OAuth 2.0 specs
https://oauth.net/2.1/
Other
52 stars 27 forks source link

native clients #165

Closed adeinega closed 10 months ago

adeinega commented 1 year ago

Section "2.3.1. Registration Requirements" says that

Authorization servers MUST reject authorization requests that specify a redirect URI that doesn't exactly match one that was registered, with an exception for loopback redirects, where an exact match is required except for the port URI component, see Section 4.1.1 for details.

However, https://drafts.oauth.net/oauth-v2-1/draft-ietf-oauth-v2-1.html#section-4.1.1 redirects me back

"redirect_uri": OPTIONAL. As described in Section 2.3.

and doesn't mention any nuances with redirect URIs for native clients.

When comparing the two URIs the authorization server MUST ensure that the two URIs are equal, see RFC3986, Section 6.2.1, Simple String Comparison, for details.

It might be worth clarifying these details. Hence, this issue.

aaronpk commented 10 months ago

I'm not sure what this has to do with native clients, but I agree it was not very clear. I made it much more explicit in both sections 4.1.1 and 2.3 about when this is required or optional, hope that helps!