By: Sakit Atakishiyev user 22 Apr 2017 at 5:01 a.m. CDT

4 Responses
Sakit Atakishiyev gravatar
Hello everyone. Yesterday we try to register our application via java library. When we register our site we set _authorization_redirect_uri_ with **http** protocol. But oxd-server returns error that **redirect uri is invalid**. But when change redirect uri which supported **https** protocol everything is ok and our site registered successfully. Has any restriction with registration site? Should us always use **https** protocol?

By Aliaksandr Samuseu staff 22 Apr 2017 at 7:14 a.m. CDT

Aliaksandr Samuseu gravatar
Hi, Sakit. You can always refer to [OIDC core spec](http://openid.net/specs/openid-connect-core-1_0.html). Depending on what flow you are using, you may be forced to use `https` scheme in `redirect_uri`. For `authz code` flow it's just recommended, but only in cases when OIDC client is of type "confidential". For `implicit` flow usage of `http` scheme in `redirect_uri` is prohibited with only exception when the client is a native app.

By Sakit Atakishiyev user 22 Apr 2017 at 10 a.m. CDT

Sakit Atakishiyev gravatar
Hi Aliaksandr, Actually we did not change anything. Just read the documentation on the web site and follow all instruction by default. We did not change any configuration. And used example code on this [documentation](https://gluu.org/docs/oxd/libraries/java/). As I told my question when we assign ``` http ``` supported url on ``` redirect_uri ``` we got error, but when we use ``` https ``` everything is ok. On the documentation there is no any information about this. Is there any configuration for this? Or Do we have to use only ``` https protocol? ```

By Michael Schwartz Account Admin 22 Apr 2017 at 10:07 a.m. CDT

Michael Schwartz gravatar
OpenID Connect requires `HTTPS`. We are adding http support in Gluu Server 3.1 for `http://localhost` and `http://127.0.0.1/` only.

By Sakit Atakishiyev user 22 Apr 2017 at 12:05 p.m. CDT

Sakit Atakishiyev gravatar
Thanks Michael