When using pairwise, sector_identifier_uri is enforced when creating an OIDC client from the CLI (*not* using Dynamic Client Registration)

[mig5]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

I am self-hosting Ory Hydra 2.2.0 in Docker, using the 'pairwise' subject identifier mode.

I am trying to register a (in fact, merely update an existing) client that needs to have multiple redirect URIs.

While it works without error, attempting to perform a standard OIDC authorization_code flow throws this error in Hydra:

"OAuth 2.0 Client xxxxxxxxxx has multiple redirect_uris but no sector_identifier_uri was set which is not allowed when performing using subject type pairwise. Please reconfigure the OAuth 2.0 client properly"

I managed to create a json file for the sector_identifier_uri, which I can see Hydra hit and parsed when updating the client. Then it never seems to hit that URI again as part of a standard OIDC flow. Indeed, as https://openid.net/specs/openid-connect-registration-1_0.html#SectorIdentifierValidation says (my emphasis in bold):

This MUST be validated at registration time; there is no requirement for the OP to retain the contents of this JSON file or to retrieve or revalidate its contents in the future.

My problem is this: I read the OIDC specs, and it seems to me that sector_identifier_uri need only be provided if using Dynamic Client Registration.

https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg

If the Client has not provided a value for sector_identifier_uri in Dynamic Client Registration [OpenID.Registration], the Sector Identifier used for pairwise identifier calculation is the host component of the registered redirect_uri. If there are multiple hostnames in the registered redirect_uris, the Client MUST register a sector_identifier_uri.

If I am creating a client myself (as the Hydra administrator), from the CLI, what value is there in needing to supply the sector_identifier_uri? I could just change the value in the database afterward and Hydra would not know the difference, since it doesn't seem to 'check' that JSON file except upon creation/updating of the client.

I'm wondering if it would be reasonable to allow skipping the fetching and parsing of the sector_identifier_uri resource if the route to create that OIDC client is not via Dynamic Client Registration, as implicitly understanding that the administrator is 'vetting' the info by adding the client themselves.

It is, of course, necessary for there to be a URI value in the sector_identifier_uri field of the Hydra client in the database, for calculating the pairwise sub on normal logins. However, when creating the client by any means other than Dynamic Client Registration, I think Hydra should just take a supplied URL from the administrator's command 'as is' for use with the pairwise calculation later, rather than perform any validation on the contents of that URL, since that validation only makes sense in the context of Dynamic Client Registration.

Reproducing the bug

Update the client:

sudo docker run --rm -it  \
  -e ORY_SDK_URL=https://xxxxxx.com \
    oryd/hydra:v2.2.0 update client xxxxxxxxxx \
    --name "xxxxxx"  \
    --grant-type authorization_code \
    --response-type code --scope openid,xxx \
    --redirect-uri https://xxxxxxx/login,https://zzzzzzzzz/login,https://yyyyyy/login \
    --post-logout-callback https://xxxxxxx,https://zzzzzzzzz,https://yyyyyy \
    --allowed-cors-origin https://xxxxxxx,https://zzzzzzzzz,https://yyyyyy \
    --subject-type pairwise \

Try to perform an OAuth flow using one of the redirect URIs

Relevant log output

"OAuth 2.0 Client xxxxxxxxxx has multiple redirect_uris but no sector_identifier_uri was set which is not allowed when performing using subject type pairwise. Please reconfigure the OAuth 2.0 client properly"

### Relevant configuration

_No response_

### Version

2.2.0

### On which operating system are you observing this issue?

Linux

### In which environment are you deploying?

Docker

### Additional Context

_No response_