mod_http_oauth2: Add FIXME about loopback redirect URIs
I assume you can't possibly pre-register every port
--- a/mod_http_oauth2/mod_http_oauth2.lua Wed May 17 00:09:37 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua Wed May 17 00:55:50 2023 +0200
@@ -251,6 +251,11 @@
return redirect_uri
end
end
+ -- FIXME The authorization server MUST allow any port to be specified at the
+ -- time of the request for loopback IP redirect URIs, to accommodate clients
+ -- that obtain an available ephemeral port from the operating system at the
+ -- time of the request.
+ -- https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-08.html#section-8.4.2
end
local grant_type_handlers = {};