The Security BCP has pretty clear language around requiring exact matching of redirect URIs now.
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.1 However the Native Apps BCP has an exception for localhost URIs to allow variable ports. https://tools.ietf.org/html/rfc8252#section-7.3 Is the intention of the Security BCP to also prevent that use case? If so, it should probably be spelled out explicitly, since there is currently no mention of this. If not, then that exception should also be repeated in the Security BCP, since it is currently somewhat ambiguous whether the exception in the Native Apps BCP is still allowed. Aaron Parecki
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
