Core 8.1 Pairwise identifier algorithm and native apps
If a native app is registered with a redirect URI scheme that do not have a host component the calculating of the sub will fail. Possible solutions would be to demand a sector_identifier_uri or use the whole URI in the calculation of the sub. If the scheme are of other type than https or http and application_type=nativ.
3.1.2.1 The Redirection URI MAY use an alternate scheme, such as one that is intended to identify a callback into a native application.
8.1. Pairwise Identifier Algorithm If the Client has not provided a value for sector_identifier_uri in Dynamic Client Registration [OpenID.Registration], the Sector Identifier used for pairwise identifier calculation is the host component of the registered redirect_uri. If there are multiple hostnames in the registered redirect_uris, the Client MUST register a sector_identifier_uri.
Comments (6)
-
-
reporter A custom URI scheme do not need to include a hostname. A custom URI can very well be a URN.
-
I guess the spec could be read in more than one way. I see (custom URI scheme or http: scheme) && localhost as hostname, forcing even custom schemes to use localhost as hostname.
The point also mentioned in the spec is to force all natives to use localhost which is forbidden in web ones, making it impossible to share client credentials across different client types.
-
John Bradley recently clarified the hostname part to me. Native clients can indeed use any hostname with custom uri schemes, and only localhost for http scheme.
-
-
assigned issue to
-
assigned issue to
-
- edited description
- changed status to open
- Log in to comment
IIRC a native application should never register uris without a host component, as a matter of fact native applications should be forced to use localhost as hostname. From Dynamic Client Registration 1.0#ClientMetadata: