OAuth cannot handle redirectURI that uses HTTP even though RFC does not mandate it

Document ID:7021263
Creation Date:30-Aug-2017
Modified Date:31-Jul-2018
- Micro Focus Products:
  Access Manager (NAM)

Environment

Access Manager 4.3

Access Manager 4.2

Situation

When registering OAuth applications on the NAM Identity Server with the http scheme in callback URIs, the admin UI seems to accept it and saves it out. Yet whenever an OAuth client requests a token or authorization code with a redirect URI that uses the http scheme, the following error is returned

"One or more redirect_uri values are invalid."

Only HTTPS is possible, yet the RFC does not stipulate this as a scheme (although recommended). From the OAuth RFC:

https://tools.ietf.org/html/rfc6749#section-3.1.2.1

"The redirection endpoint SHOULD require the use of TLS ..."

Resolution

Fixed in NAM 4.4.

The fix does following:

1. Allows admin to configure http scheme for redirect URI both in UI and client registration API by removing the checks for http.

2. When http configured for redirect URI in application type = web, shows a warning message(recommendation message to use https scheme) in UI.