diff mod_http_oauth2/mod_http_oauth2.lua @ 5460:c0d62c1b4424

mod_http_oauth2: Add FIXME about loopback redirect URIs I assume you can't possibly pre-register every port
author Kim Alvefur <zash@zash.se>
date Wed, 17 May 2023 00:55:50 +0200
parents 260a859be86a
children 06640647d193
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Wed May 17 00:09:37 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Wed May 17 00:55:50 2023 +0200
@@ -251,6 +251,11 @@
 			return redirect_uri
 		end
 	end
+	-- FIXME The authorization server MUST allow any port to be specified at the
+	-- time of the request for loopback IP redirect URIs, to accommodate clients
+	-- that obtain an available ephemeral port from the operating system at the
+	-- time of the request.
+	-- https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-08.html#section-8.4.2
 end
 
 local grant_type_handlers = {};