Discovery - Protocol relative URLs are allowed?
Issue #913
wontfix
Current specification may not allow protocol relative URLs which starts with double slash, e.g. //google.com/ .
I wish it more clear if those urls are prohibit or not.
Python urlparse() works those URL, PHP parse_url() fails to parse.
Comments (2)
-
-
- changed status to wontfix
We don't expect normal users to type //host, so this seems like an edge case. There's nothing wrong with accepting it, but we're not going to require it.
- Log in to comment
Where are you asking if they are allowed? As user input for the discovery process?
(They're not allowed as "iss" claim values, for instance, because they're missing the https scheme.)
My informal reading of http://openid.bitbucket.org/openid-connect-discovery-1_0.html#NormalizationSteps is that it it's probably legal, but it's not clear to me that we actually want to encourage it.