[Openid-specs-ab] Issue #1398: SIOP v2-06: redirect_uri in signed requests (openid/connect)
chrisiba
issues-reply at bitbucket.org
Wed Jan 19 14:29:02 UTC 2022
New issue 1398: SIOP v2-06: redirect_uri in signed requests
https://bitbucket.org/openid/connect/issues/1398/siop-v2-06-redirect_uri-in-signed-requests
Christina Bauer:
[Section 10.2](https://openid.net/specs/openid-connect-self-issued-v2-1_0-06.html#name-non-pre-registered-relying-) states for signed authentication requests:
> In this case, `client_id` MUST NOT equal `redirect_uri`.
In contrast to this [Section 11](https://openid.net/specs/openid-connect-self-issued-v2-1_0-06.html#name-self-issued-openid-provider-a) reads for the `redirect_uri`:
> REQUIRED. MUST equal the `client_id` value. MUST be included for compatibility reasons.
It is not clear to me what the exact requirements on the `redirect_uri` are, when the request is signed.
OpenID Connect Core Section 6 allows to just sign parts of the request to form a request object and pass some request parameters “using the OAuth 2.0 request syntax“. Does “the Self-Issued OP request is signed“ in [Section 10.2](https://openid.net/specs/openid-connect-self-issued-v2-1_0-06.html#name-non-pre-registered-relying-) mean ALL request parameters MUST be contained in the signed request \(- in particular, the `redirect_uri` is part of / duplicated in the signed request\)?
I suggest to make the language in [Section 10.2](https://openid.net/specs/openid-connect-self-issued-v2-1_0-06.html#name-non-pre-registered-relying-) more explicit to clarify this.
More information about the Openid-specs-ab
mailing list