Verification of top-level domains buggy

[TheOneWithTheBraid]

I encountered a funny bug : if your top-level domain is too long, your redirect URI is automatically rejected. In my case, business.braid.polycule: was considered as an invalid URI scheme - even though .business obviously is a top-level domain.

I'd highly suggest to remove that buggy check.

matrix-authentication-service/crates/handlers/src/oauth2/registration.rs

Line 179 in fef81b8

if host.len() <= suffix.as_bytes().len() + 1 {

[sandhose]

The following registration works:

{
  "client_uri": "https://polycule.braid.business/",
  "grant_types": ["refresh_token", "authorization_code"],
  "application_type": "native",
  "redirect_uris": ["business.braid.polycule:/"],
  "token_endpoint_auth_method": "none"
}

Two important things to note:

• the application_type is set to native, which allows native schemes
• the redirect_uri has a trailing slash. This one is probably the culprit: the RFC mentions a single slash, but I don't think this should be strictly enforced? https://datatracker.ietf.org/doc/html/rfc8252#section-7.1

So, either we clarify MSC2966 to require a single slash in native schemes, or we fix the implementation