[Openid-specs-ab] [openid/connect] Behavior for clients without registered redirect_uris is not well defined (issue #591)
issues-reply at bitbucket.org
Fri May 18 14:59:46 UTC 2012
--- you can reply above this line ---
New issue 591: Behavior for clients without registered redirect_uris is not well defined
Section 3.2.1 of OpenIDConnect Standard states that the redirect_uri provided in the Authz request "MUST match one of the redirect_uris registered for the client_id in the OpenID Connect Dynamic Client Registration 1.0 [OpenID.Registration] specification. "
Dynamic Client Registration, Section 2.1 states that the redirect_uris parameter is "RECOMMENDED for Clients using the code flow with a query parameter encoded response. REQUIRED for Clients requesting implicit flow fragment encoded responses as defined in OAuth 2.0 [OAuth2.0]."
The behavior when a client is NOT using the Dynamic Registration spec, or IS using it but has not registered any URIs, is not well defined in OpenIDConnect Standard.
What should happen if a client IS using DynClientReg, but has not registered any URIs?
What should happen if a client is NOT using DynClientReg, and no URIs are pre-configured for that client?
Shoudl either of these be error conditions, or should the request just be allowed through as long as the redirect_uri parameters on the AuthZ and Token requests match?
This is an issue notification from bitbucket.org. You are receiving
this either because you are the owner of the issue, or you are
following the issue.
More information about the Openid-specs-ab