Closed
Description
Expected Behavior
As per OAuth 2.1 section-10.3.3
The authorization server MUST allow any port to be specified at the
time of the request for loopback IP redirect URIs, to accommodate
clients that obtain an available ephemeral port from the operating
system at the time of the request.
Current Behavior
Loopback address redirect URIs are also matched with exact string matching which does not allow clients that use ephemeral port from the operating system.
Context
This currently affects my integration testing effort where the server is brought up on random ports.