Registration : redirect_uris changed by server
Issue #1016
resolved
In section 3.2 Client Registration Response :
The Authorization Server MAY reject or replace any of the Client's requested field values and substitute them with suitable values.
If this happens, the Authorization Server MUST include these fields in the response to the Client.
There is no provision that states that redirect_uris must be echoed back to the client. If the server changes any of the redirect_uris, what does the client do?
There is no provision for the client to check that the redirect_uris are the same as what was sent in the request. Theoretically, clients could end up with a client_ids that don't work.
Comments (3)
-
-
- changed milestone to Errata
- changed component to Registration
-
assigned issue to
We should clarify that the server cannot change requested redirect_uri values. Doing so is a server bug and a security issue.
-
- changed status to resolved
Fixed
#1016- Specified that the server cannot change the redirect_uris value→ <<cset 430a959a9540>>
- Log in to comment
Since the redicrect_uris originate with the RP (client) during registration I do not believe that any other server should be allowed to substitute them.