openid / fapi / issues / #402 - AS shall require that redirect URIs use the https scheme — Bitbucket

Issue #402 resolved

Torsten Lodderstedt created an issue 2021-04-22

FAPI 2 Baseline requires https redirect urls, this precludes custom schemes and redirects to the loopback device via http.

It seems like this was copied from FAPI 1.

Comments (6)

Daniel Fett

Wording from the security bcp:

   Authorization responses MUST NOT be transmitted over unencrypted
   network connections.  To this end, AS MUST NOT allow redirect URIs
   that use the "http" scheme except for native clients that use
   Loopback Interface Redirection as described in [RFC8252],
   Section 7.3.

‌

2021-04-28T14:49:42+00:00

Dave Tonge
- changed status to open
- 2021-04-28T14:52:37+00:00
Dave Tonge
- assigned issue to
  
  Daniel Fett
- 2021-04-28T14:53:04+00:00
Daniel Fett
- changed status to resolved
Proposal to fix Issue ~~#402~~

→ <<cset 01f077219385>>
- 2021-04-28T14:58:21+00:00
Dave Tonge
Merged in danielfett/fapi2/http-redirect-uris (pull request #265)

Proposal to fix Issue ~~#402~~

Approved-by: Dave Tonge Approved-by: Brian Campbell Approved-by: Joseph Heenan Approved-by: Torsten Lodderstedt

→ <<cset 45e5a135fd93>>
- 2021-04-28T15:02:00+00:00
Nat Sakimura
- changed component to FAPI2: Security Profile
- 2022-12-14T15:35:24+00:00
Log in to comment

Assignee: Daniel Fett

Type: bug

Priority: major

Status: resolved

Component: FAPI2: Security Profile

Milestone: –

Votes: 0

Watchers: 1

Jira: the preferred issue tracker for Bitbucket. Join the team!