[Openid-specs-ab] Issue #1272: client_id in SIOP (openid/connect)
issues-reply at bitbucket.org
Tue Jul 27 21:29:35 UTC 2021
New issue 1272: client_id in SIOP
Currently, SIOP assumes that \`client\_id\` = \`redirect\_uri\`. However taking into account that cross-device SIOP model is being considered/implemented, it would make sense to use both \`client\_id\` and \`redirect\_uri\` in SIOP just like in the Implicit Flow.
More concretely, when SIOP request is signed, there is a need to validate a signature against the appropriate key for the \`client\_id\`, which is not the same as \`redirect\_uri\` where SIOP is sending the response.
More information about the Openid-specs-ab