AS shall require that redirect URIs use the https scheme

Issue #402 resolved
Torsten Lodderstedt created an issue

FAPI 2 Baseline requires https redirect urls, this precludes custom schemes and redirects to the loopback device via http.

It seems like this was copied from FAPI 1.

Comments (6)

  1. Daniel Fett

    Wording from the security bcp:

       Authorization responses MUST NOT be transmitted over unencrypted
       network connections.  To this end, AS MUST NOT allow redirect URIs
       that use the "http" scheme except for native clients that use
       Loopback Interface Redirection as described in [RFC8252],
       Section 7.3.
    

  2. Log in to comment