[Openid-specs-ab] Issue #1016: Registration : redirect_uris changed by server (openid/connect)

Edmund Jay issues-reply at bitbucket.org
Fri Apr 14 00:05:08 UTC 2017

New issue 1016: Registration : redirect_uris changed by server

Edmund Jay:

In section 3.2 Client Registration Response : 


The Authorization Server MAY reject or replace any of the Client's requested field values and substitute them with suitable values. 
If this happens, the Authorization Server MUST include these fields in the response to the Client.

There is no provision that states that redirect_uris must be echoed back to the client. If the server changes any of the redirect_uris, what does the client do?

There is no provision for the client to check that the redirect_uris are the same as what was sent in the request. Theoretically, clients could end up with a client_ids that don't work.

More information about the Openid-specs-ab mailing list