mod_http_oauth2: Fix use of arbitrary ports in loopback redirect URIs Per draft-ietf-oauth-v2-1-08#section-8.4.2 > The authorization server MUST allow any port to be specified at the > time of the request for loopback IP redirect URIs, to accommodate > clients that obtain an available ephemeral port from the operating > system at the time of the request. Uncertain if it should normalize the host part, but it also seems harmless to treat IPv6 and IPv4 the same here. One thing is that "localhost" is NOT RECOMMENDED because it can sometimes be pointed to non-loopback interfaces via DNS or hosts file.

mod_http_oauth2: Add FIXME about loopback redirect URIs I assume you can't possibly pre-register every port

mod_http_oauth2: Rename variables to improve clarity

mod_http_oauth2: Do minimal validation of private-use URI schemes Per draft-ietf-oauth-v2-1-08#section-2.3.1 > At a minimum, any private-use URI scheme that doesn't contain a period > character (.) SHOULD be rejected. Since this would rule out the OOB URI, which is useful for CLI tools and such without a built-in http server, it is explicitly allowed.

mod_http_oauth2: Reject relative redirect URIs Also prevents a nil scheme from causing trouble

mod_http_oauth2: Reject duplicate list items in client registration Useless waste of space

mod_http_oauth2: Require non-empty arrays in client registration Makes no sense to claim to support nothing.

mod_http_oauth2: Reject duplicate redirect URIs in registration

mod_http_oauth2: Fix schema to enforce at least one redirect URI minLength is for strings

mod_http_oauth2: Show only roles the user can use in consent dialog Confusing if it shows you roles you can't use.