[Openid-specs-ab] Dynamic Client Registration - Bad Security Recommendation?
Marcos Sanz
sanz at denic.de
Mon Sep 2 12:43:17 UTC 2019
Dear all,
at our IdP deployment with an open client registration endpoint we have
implemented the recommendations from the security considerations (
https://openid.net/specs/openid-connect-registration-1_0.html#Impersonation
), specifically:
"The Authorization Server SHOULD check to see if the logo_uri and
policy_uri have the same host as the hosts defined in the array of
redirect_uris. "
I am getting some pushback from the clients, who claim that their assets
might come from CDNs, whose URLs usually differ from the callback URL
host. Additional feedback from Auth0, with whom I was having this
discussion was also that the native type client (= not web) would require
a http://localhost callback anyway, so there this check wouldn’t work
anyway very well. Also for cases where there’s an identity broker in
between, such as with Auth0, it’s usually not what you want as developer.
Finally, and since more than one redirect_uri can be registered at the
IdP, what prevents a malicious client from registering, besides their real
redirect_uri, additional random-hosts-under-attack just to satisfy the
aforementioned check, thus rendering it useless?
All in all, for me it looks like the spec recomendation is
outdated/insufficient/counterproductive. I'd love to hear your thoughts
about that.
Best,
Marcos
More information about the Openid-specs-ab
mailing list