Issue #913 wontfix

hideki nara created an issue 2013-12-18

Current specification may not allow protocol relative URLs which starts with double slash, e.g. //google.com/ .

I wish it more clear if those urls are prohibit or not.

Python urlparse() works those URL, PHP parse_url() fails to parse.

Comments (2)

Michael Jones
Where are you asking if they are allowed? As user input for the discovery process?

(They're not allowed as "iss" claim values, for instance, because they're missing the https scheme.)

My informal reading of http://openid.bitbucket.org/openid-connect-discovery-1_0.html#NormalizationSteps is that it it's probably legal, but it's not clear to me that we actually want to encourage it.
- 2013-12-19T04:16:24+00:00
Michael Jones
- changed status to wontfix
We don't expect normal users to type //host, so this seems like an edge case. There's nothing wrong with accepting it, but we're not going to require it.
- 2013-12-19T15:15:07+00:00
Log in to comment

Assignee: –

Type: proposal

Priority: minor

Status: wontfix

Component: Discovery

Milestone: Final

Version: –

Votes: 0

Watchers: 0

Jira Software: the preferred issue tracker for Bitbucket. Join the team!