Kim Alvefur <zash@zash.se> [Wed, 17 May 2023 13:51:30 +0200] rev 5465
mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs
Per draft-ietf-oauth-v2-1-08#section-8.4.2
> The authorization server MUST allow any port to be specified at the
> time of the request for loopback IP redirect URIs, to accommodate
> clients that obtain an available ephemeral port from the operating
> system at the time of the request.
Uncertain if it should normalize the host part, but it also seems
harmless to treat IPv6 and IPv4 the same here.
One thing is that "localhost" is NOT RECOMMENDED because it can
sometimes be pointed to non-loopback interfaces via DNS or hosts file.
Kim Alvefur <zash@zash.se> [Wed, 17 May 2023 00:55:50 +0200] rev 5464
mod_http_oauth2: Add FIXME about loopback redirect URIs
I assume you can't possibly pre-register every port
Kim Alvefur <zash@zash.se> [Wed, 17 May 2023 00:09:37 +0200] rev 5463
mod_http_oauth2: Rename variables to improve clarity
Kim Alvefur <zash@zash.se> [Tue, 16 May 2023 22:18:12 +0200] rev 5462
mod_http_oauth2: Do minimal validation of private-use URI schemes
Per draft-ietf-oauth-v2-1-08#section-2.3.1
> At a minimum, any private-use URI scheme that doesn't contain a period
> character (.) SHOULD be rejected.
Since this would rule out the OOB URI, which is useful for CLI tools and
such without a built-in http server, it is explicitly allowed.
Kim Alvefur <zash@zash.se> [Tue, 16 May 2023 22:16:39 +0200] rev 5461
mod_http_oauth2: Reject relative redirect URIs
Also prevents a nil scheme from causing trouble
Kim Alvefur <zash@zash.se> [Tue, 16 May 2023 21:10:55 +0200] rev 5460
mod_http_oauth2: Reject duplicate list items in client registration
Useless waste of space
Kim Alvefur <zash@zash.se> [Tue, 16 May 2023 21:09:38 +0200] rev 5459
mod_http_oauth2: Require non-empty arrays in client registration
Makes no sense to claim to support nothing.
Kim Alvefur <zash@zash.se> [Tue, 16 May 2023 21:04:31 +0200] rev 5458
mod_http_oauth2: Reject duplicate redirect URIs in registration
Kim Alvefur <zash@zash.se> [Tue, 16 May 2023 20:56:57 +0200] rev 5457
mod_http_oauth2: Fix schema to enforce at least one redirect URI
minLength is for strings
Kim Alvefur <zash@zash.se> [Fri, 12 May 2023 11:58:20 +0200] rev 5456
mod_http_oauth2: Show only roles the user can use in consent dialog
Confusing if it shows you roles you can't use.