refactor: relax native app custom URI scheme validation

closes #1411

Signed-off-by: Filip Skokan <panva.ip@gmail.com>

Author: panva

lib/helpers/client_schema.js

@@ -9,6 +9,8 @@ import pick from './_/pick.js';
 import omitBy from './_/omit_by.js';
 
 const W3CEmailRegExp = /^[a-zA-Z0-9.!#$%&’*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$/;
+// eslint-disable-next-line no-script-url
+const FORBIDDEN_SCHEMES = new Set(['javascript:', 'vbscript:', 'data:', 'blob:', 'file:', 'about:']);
 const needsJwks = {
   jwe: /^(RSA|ECDH)/,
   jws: /^(?:(?:P|E|R)S(?:256|384|512)|Ed(?:DSA|25519)|ML-DSA-(?:44|65|87))$/,
@@ -636,9 +638,12 @@ export default function getSchema(provider) {
                 }
                 break;
               default: // Private-use URI Scheme Redirection
-                if (!protocol.includes('.')) {
-                  this.invalidate(`${label} for native clients using Custom URI scheme should use reverse domain name based scheme`);
+                if (FORBIDDEN_SCHEMES.has(protocol)) {
+                  this.invalidate(`${label} must not use the ${protocol.slice(0, -1)} URI scheme`);
                 }
+                // no further validation - RFC 8252 Section 7.1 recommends reverse domain
+                // name based schemes but in practice app vendors don't follow this
+                break;
             }
             break;
           }

test/configuration/client_metadata.test.js

@@ -506,11 +506,28 @@ describe('Client metadata validation', () => {
     rejects(this.title, ['not-a-uri'], undefined, {
       application_type: 'native',
     });
+    rejects(this.title, ['https://localhost/op/callback'], /for native clients using claimed HTTPS URIs must not be using localhost as hostname/, {
+      application_type: 'native',
+    });
+    allows(this.title, ['com.example.app://localhost/op/callback', 'com.example.app:/op/callback'], {
+      application_type: 'native',
+    });
+    allows(this.title, ['myapp:/op/callback'], {
+      application_type: 'native',
+    });
+    allows(this.title, ['cursor://anysphere.cursor-mcp/oauth/callback'], {
+      application_type: 'native',
+    });
     rejects(this.title, ['http://foo/bar'], undefined, {
       application_type: 'web',
       grant_types: ['implicit'],
       response_types: ['id_token'],
     });
+    for (const scheme of ['javascript', 'vbscript', 'data', 'blob', 'file', 'about']) {
+      rejects(this.title, [`${scheme}:foo`], `redirect_uris must not use the ${scheme} URI scheme`, {
+        application_type: 'native',
+      });
+    }
     it('has an schema invalidation hook for forcing https on implicit', async () => {
       const sandbox = sinon.createSandbox();
       sandbox.spy(DefaultProvider.Client.Schema.prototype, 'invalidate');
@@ -601,6 +618,11 @@ describe('Client metadata validation', () => {
       grant_types: ['implicit'],
       response_types: ['id_token'],
     });
+    for (const scheme of ['javascript', 'vbscript', 'data', 'blob', 'file', 'about']) {
+      rejects(this.title, [`${scheme}:foo`], `post_logout_redirect_uris must not use the ${scheme} URI scheme`, {
+        application_type: 'native',
+      });
+    }
   });
 
   context('request_object_signing_alg', function () {

test/oauth_native_apps/oauth_native_apps.test.js

@@ -9,62 +9,6 @@ describe('OAuth 2.0 for Native Apps Best Current Practice features', () => {
   before(bootstrap(import.meta.url));
 
   describe('changed native client validations', () => {
-    describe('Private-use URI Scheme Redirection', () => {
-      it('allows custom uri scheme uris with localhost', function () {
-        return addClient(this.provider, {
-          application_type: 'native',
-          client_id: 'native-custom',
-          grant_types: ['implicit'],
-          response_types: ['id_token'],
-          token_endpoint_auth_method: 'none',
-          redirect_uris: ['com.example.app://localhost/op/callback', 'com.example.app:/op/callback'],
-        });
-      });
-
-      it('rejects custom schemes without dots with reverse domain name scheme recommendation', function () {
-        return assert.rejects(addClient(this.provider, {
-          application_type: 'native',
-          client_id: 'native-custom',
-          grant_types: ['implicit'],
-          response_types: ['id_token'],
-          token_endpoint_auth_method: 'none',
-          redirect_uris: ['myapp:/op/callback'],
-        }), (err) => {
-          expect(err).to.have.property('message', 'invalid_redirect_uri');
-          expect(err).to.have.property('error_description', 'redirect_uris for native clients using Custom URI scheme should use reverse domain name based scheme');
-          return true;
-        });
-      });
-    });
-
-    describe('Claimed HTTPS URI Redirection', () => {
-      it('allows claimed https uris', function () {
-        return addClient(this.provider, {
-          application_type: 'native',
-          client_id: 'native-custom',
-          grant_types: ['implicit'],
-          response_types: ['id_token'],
-          token_endpoint_auth_method: 'none',
-          redirect_uris: ['https://claimed.example.com/op/callback'],
-        });
-      });
-
-      it('rejects https if using loopback uris', function () {
-        return assert.rejects(addClient(this.provider, {
-          application_type: 'native',
-          client_id: 'native-custom',
-          grant_types: ['implicit'],
-          response_types: ['id_token'],
-          token_endpoint_auth_method: 'none',
-          redirect_uris: ['https://localhost/op/callback'],
-        }), (err) => {
-          expect(err).to.have.property('message', 'invalid_redirect_uri');
-          expect(err).to.have.property('error_description', 'redirect_uris for native clients using claimed HTTPS URIs must not be using localhost as hostname');
-          return true;
-        });
-      });
-    });
-
     describe('Loopback Interface Redirection', () => {
       it('catches invalid urls being passed in', function () {
         return addClient(this.provider, {