search cancel

OAuth redirect_uri MUST support Wildcard ports for localhost


Article ID: 230110


Updated On:


CA API Gateway


I have a client that has a requirement for a dynamic port. as 
This is on an authorization_code request.

I looked at the code in the "OTK Authorization Request Validation" and the code does not cater for this.

The RFC8252 spec however states that this MUST be supported by the IDP as per the extract below.

7.3.  Loopback Interface Redirection   Native apps that are able to open a port on the loopback network   interface without needing special permissions (typically, those on   desktop operating systems) can use the loopback interface to receive   the OAuth redirect.   Loopback redirect URIs use the "http" scheme and are constructed with   the loopback IP literal and whatever port the client is listening on.Denniss & Bradley         Best Current Practice                 [Page 9]

RFC 8252                OAuth 2.0 for Native Apps           October 2017   That is, "{port}/{path}" for IPv4, and   "http://[::1]:{port}/{path}" for IPv6.  An example redirect using the   IPv4 loopback interface with a randomly assigned port:   An example redirect using the IPv6 loopback interface with a randomly   assigned port:     http://[::1]:61023/oauth2redirect/example-provider   The authorization server MUST allow any port to be specified at the   time of the request for loopback IP redirect URIs, to accommodate   clients that obtain an available ephemeral port from the operating   system at the time of the request.   Clients SHOULD NOT assume that the device supports a particular   version of the Internet Protocol.  It is RECOMMENDED that clients   attempt to bind to the loopback interface using both IPv4 and IPv6   and use whichever is available.


Release : 10.0

Component : OTK 


I checked this internally but at the moment this is not implemented the current OTK version, there is user story to add this and it is targeted for OTK .4.6