This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

GenerateAuthorizationCode with Native Apps and Loopback Interface Redirection

Posted on 02-22-2022 11:36 AM
tonycoelho
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

On the GenerateAuthorizationCode OAuthV2 operation it states:

"If a Callback URL is registered with the developer app that is associated with the request's client keys, and if the redirect_uri is present in the request, then the two must match exactly. If they do not match, an error is returned."

The question is; is it possible to support a dynamic port as specified in section 7.3 of the OAuth 2.0 for Native Apps RFC. See, RFC 8252: OAuth 2.0 for Native Apps (rfc-editor.org)

Basically, we want to have the ability to enforce a redirect_uri by utilizing the app Callback URL, but have it ignore the port. This is currently not working with the GenerateAuthorizationCode operation because the port is specified in the Callback URL which must match exactly. I understand that one solution is to simply not register the Callback URL on the developer app, but that violates security best practices.

0 1 115
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Nope

As far as I know the URLs  must match exactly. There's no allowance for different ports.

Also I agree that omitting the callback URL on the developer app is probably a bad idea! 

I think you'd need to connect with your Apigee support engineer to request a feature enhancement, specifically to support dynamic ports on the callback.