Whether a client redirect_uri uses a scheme the proxy is willing to relay an
authorization code to. https is always allowed; plain http is allowed only
for loopback hosts (127.0.0.1, [::1], localhost) per RFC 8252 §7.3. All
other schemes (including http to a non-loopback host, and custom/private-use
schemes) are rejected so the upstream code can never be relayed over an
open-redirect-prone or interceptable channel.
Whether a client redirect_uri uses a scheme the proxy is willing to relay an authorization code to. https is always allowed; plain http is allowed only for loopback hosts (127.0.0.1, [::1], localhost) per RFC 8252 §7.3. All other schemes (including http to a non-loopback host, and custom/private-use schemes) are rejected so the upstream code can never be relayed over an open-redirect-prone or interceptable channel.