You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As per discussion in #263 I believe we should remove this Client ID scheme because there is no way to get authoritative metadata for the client which isn't open to un-detectable manipulation by the requestor impersonating the client. Put another way, with the redirect_uri client ID scheme there is no way to sign the request, have pre-registered metadata about the client nor a trusted way to resolve the clients metadata from a URL, thus meaning any client metadata reported in the client metadata parameter is entirely self-attested metadata about the client set by the requestor.
The text was updated successfully, but these errors were encountered:
The redirect_uri scheme has seen a pattern of use in early implementations/interops due to the simplicity of it. We probably shouldn't remove it without adding something similarly lightweight instead, e.g. the well-known based scheme suggested in #82
As per discussion in #263 I believe we should remove this Client ID scheme because there is no way to get authoritative metadata for the client which isn't open to un-detectable manipulation by the requestor impersonating the client. Put another way, with the redirect_uri client ID scheme there is no way to sign the request, have pre-registered metadata about the client nor a trusted way to resolve the clients metadata from a URL, thus meaning any client metadata reported in the client metadata parameter is entirely self-attested metadata about the client set by the requestor.
The text was updated successfully, but these errors were encountered: