[Openid-specs-ab] Issue #1290: Remove client_id as redirect_uri and registration request parameters from SIOPv2 (openid/connect)
David Waite
issues-reply at bitbucket.org
Mon Aug 16 22:44:37 UTC 2021
New issue 1290: Remove client_id as redirect_uri and registration request parameters from SIOPv2
https://bitbucket.org/openid/connect/issues/1290/remove-client_id-as-redirect_uri-and
David Waite:
Assuming SIOP v1 and v2 are distinct protocols, we should consider removing the adhoc registration scheme rather than inheriting to SIOP v2.
1. The reason to allow for non-authoritative registration metadata was due to there not being a scheme to resolve client metadata in OpenID originally. With OpenID Connect Federation, we now have a defined system of automatic registration via client metadata resolution
2. Having a single format for registration \(via automatic client registration as defined in OpenID Connect Federation\) will simplify SIOP implementations.
3. There are distinct issues with the registration query parameter, such as the ability to maliciously capture id\_tokens if the registration metadata is trusted to provide certain values, such as alternative redirect\_uri.
This proposal would be to:
1. Remove registration and registration\_uri as acceptable parameters for SIOP v2, making them exclusive to SIOP v1.
2. client\_id should be used to resolve OpenID Federation entity statements. Discussion on how this might be done for non-HTTPS scheme URI \(such as DIDs\) at Issue #1289.
More information about the Openid-specs-ab
mailing list