Localhost as hostname for redirect_uri in OpenId Connect

Question

The OpenID Connect specification states that localhost is not a valid hostname when application type is web and grant is Implicit.

From OpenId Connect Specitication (application_type)

Web Clients using the OAuth Implicit Grant Type MUST only register URLs using the https scheme as redirect_uris; they MUST NOT use localhost as the hostname.

It later states

This prevents sharing a Client ID across different types of Clients.

How does disallowing localhost prevent sharing? Directly specifying a local ip address, such as 127.0.0.1 is still allowed.


Show source
| security   | openid-connect   2017-01-06 22:01 0 Answers

Answers to Localhost as hostname for redirect_uri in OpenId Connect ( 0 )

Leave a reply to - Localhost as hostname for redirect_uri in OpenId Connect

◀ Go back