First registery a domain of mydomain.com and then try to get a token with the call back url set to http:://www.mydomain.com/ My understanding is this should work since I have registered the main domain. All sub-domains should automatically work, right?
Second try using the correct domain but with https instead of http for the call back url. I.E. https://mydomain.com/
Did i miss something obvious or are these real bugs?
The first one is not a bug. Our current security policy requires exact host match.
As to the second one, I have tried it myself by registering a ckey with http callback URL and then constructing requests that use https callback URL and cannot reproduce it. Can you please provide the exact steps on how to reproduce this issue?