[Openid-specs-ab] Processing sector_identifier_uri values
Michael.Jones at microsoft.com
Wed Oct 30 00:59:39 UTC 2013
In his review of Registration, George wrote the following about http://openid.net/specs/openid-connect-registration-1_0-20.html#SectorIdentifierValidation:
It seems like there is some pretty complicated OP logic required to process the sector_identifier_uri.
Given that the the list of allowed redirect_uris in the JSON file can change at any time! the OP would
need to pull the file and verify that the current client redirect_uri is still present in the list. That is too much
over head to do at token issuance. Should we have some guidance that redirect_uris can be added to the
sector_identifier_uri file but SHOULD NOT be removed. Removing a redirect_uri from the file results in
undefined behavior? With this guidance the OP can do all the necessary checking at client registration
time which seems reasonable.
It's always been my assumption that the sector_identifier_uri is validated once at registration time and never fetched again. If people agree, I think we should say that.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab