Localhost as hostname for redirect_uri in OpenId Connect


The OpenID Connect specification states that localhost is not a valid hostname when application type is web and grant is Implicit.

From OpenId Connect Specitication (application_type)

Web Clients using the OAuth Implicit Grant Type MUST only register URLs using the https scheme as redirect_uris; they MUST NOT use localhost as the hostname.

It later states

This prevents sharing a Client ID across different types of Clients.

How does disallowing localhost prevent sharing? Directly specifying a local ip address, such as is still allowed.

Show source
| security   | openid-connect   2017-01-06 22:01 0 Answers

Answers ( 0 )

◀ Go back