[Openid-specs-ab] Processing sector_identifier_uri values
jricher at mitre.org
Thu Oct 31 14:16:33 UTC 2013
How about language that says the sector identifier would be pulled down
at registration and heavily cached.
On 10/29/2013 08:59 PM, Mike Jones wrote:
> In his review of Registration, George wrote the following about
> It seems like there is some pretty complicated OP logic required to
> process the sector_identifier_uri.
> Given that the the list of allowed redirect_uris in the JSON file can
> change at any time! the OP would
> need to pull the file and verify that the current client redirect_uri
> is still present in the list. That is too much
> over head to do at token issuance. Should we have some guidance that
> redirect_uris can be added to the
> sector_identifier_uri file but SHOULD NOT be removed. Removing a
> redirect_uri from the file results in
> undefined behavior? With this guidance the OP can do all the necessary
> checking at client registration
> time which seems reasonable.
> It's always been my assumption that the sector_identifier_uri is
> validated once at registration time and never fetched again. If
> people agree, I think we should say that.
> -- Mike
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab