Open aaronpk opened 3 years ago
aaronpk
commented
3 years ago Technically I'm not sure case sensitive matching of the host name is actually required if you were to follow RFC3986, since host names are case insensitive. We should probably clarify this in the Security BCP and 2.1.
tlodderstedt
commented
3 years ago RFC 3986 6.2.1. talks about "bit-for-bit" or "byte-for-byte" comparison, which means case sensitive matching. Is that what you want to state?
dickhardt
commented
3 years ago character by character comparison? byte for byte can be challenging as different byte arrangements can represent the same character. I do think we are intending a case sensitive string comparison.
aaronpk
commented
9 months ago @tlodderstedt I believe the Security BCP has some updated language to use here, could you pull from that and make a PR?
adeinega
commented
9 months ago Using simple string comparison for redirect URIs is not always possible due to the usage of randomly assigned ports in Redirect URIs for public (native) clients.
The OpenID Connect Core spec says that
REQUIRED. Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described in Section 6.2.1 of [RFC3986] (Simple String Comparison).
which kind of makes it "impossible" to use an ephemeral port obtained from the OS for these clients.
aaronpk
commented
9 months ago There's already an exception for the random port, so we'll need to carve that out in this top section too.
from Vittorio:
RFC3986 6.2.1 talks about character by character comparison, but doesn’t mention case sensitivity. I am sure it does elsewhere in the spec, but for clarify and readability I recommend specifying the desired behavior directly here.