By: Martin Petri user 14 Jan 2020 at 8:58 a.m. CST

1 Response
Martin Petri gravatar
Hi. Is it possible to use dynamic (changing) ports in redirect uris? We're developing a ssh federated login and the login script starts a small http process per session. Therefor we need to change the port for each user connecting to the server. It would be very helpful if the currrent port could be used for the callback url. Cheers, Martin

By Michael Schwartz Account Admin 14 Jan 2020 at 11:48 a.m. CST

Michael Schwartz gravatar
Redirect URI must be pre-registered. This is a requirement of OpenID Connect: see [Section 3.1.2.1-- Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). ``` REQUIRED. Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described in Section 6.2.1 of [RFC3986] (Simple String Comparison). When using this flow, the Redirection URI SHOULD use the https scheme; however, it MAY use the http scheme, provided that the Client Type is confidential, as defined in Section 2.1 of OAuth 2.0, and provided the OP allows the use of http Redirection URIs in this case. The Redirection URI MAY use an alternate scheme, such as one that is intended to identify a callback into a native application. ``` One possible work around is to use the oxTrust API to add the redirect_uri on the fly. This is a little risky though... you'd also want a cleanup process to remove it. Another possibility is perhaps to use the Person Authentication interception script to update the client in the database on the fly--although you might not get to this point, because the request may be rejected before the script is even executed.