[Openid-specs-ab] Issue #1016: Registration : redirect_uris changed by server (openid/connect)
issues-reply at bitbucket.org
Fri Apr 14 00:05:08 UTC 2017
New issue 1016: Registration : redirect_uris changed by server
In section 3.2 Client Registration Response :
The Authorization Server MAY reject or replace any of the Client's requested field values and substitute them with suitable values.
If this happens, the Authorization Server MUST include these fields in the response to the Client.
There is no provision that states that redirect_uris must be echoed back to the client. If the server changes any of the redirect_uris, what does the client do?
There is no provision for the client to check that the redirect_uris are the same as what was sent in the request. Theoretically, clients could end up with a client_ids that don't work.
More information about the Openid-specs-ab