Remove client_id_scheme = redirect_uri
#269
Comments
|
The redirect_uri scheme has seen a pattern of use in early implementations/interops due to the simplicity of it. We probably shouldn't remove it without adding something similarly lightweight instead, e.g. the well-known based scheme suggested in #82 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As per discussion in #263 I believe we should remove this Client ID scheme because there is no way to get authoritative metadata for the client which isn't open to un-detectable manipulation by the requestor impersonating the client. Put another way, with the redirect_uri client ID scheme there is no way to sign the request, have pre-registered metadata about the client nor a trusted way to resolve the clients metadata from a URL, thus meaning any client metadata reported in the client metadata parameter is entirely self-attested metadata about the client set by the requestor.
The text was updated successfully, but these errors were encountered: