Registration - 2 - Client metadata Redirect_uris as OPTIONAL
Currently the redirect_uris client metadata is set as REQUIRED, which seems obvious according to the grant_types description which focus only on authorization_code and implicit.
But according to the Discovery specification, we may support other grant types. If we support the client_credentials grant type, there is no need of redirect_uris.
Could we update the specification in order to put this metadata as optional only if a supported grant_type has been requested and that does not require redirect_uris matching.
If we do so, then that impact also the response_types and grant_types that should not respectively be set to code & authorization_code by default.
Especially that having authorization_code and client_credentials on the same client is not recommended. We should then add a security appendix for advising not to mix in the same client some grant type that required a redirect_uri and some others that do not. Ex: do not mix authorization_code and client_credentials in the same client.
Comments (4)
-
-
reporter Thanks for your response, I am trying this on several open source solutions, but I have in all case this kind of responses :
"redirect_uris": [], "token_endpoint_auth_method": "client_secret_basic", "grant_types": [ "authorization_code", "client_credentials", "refresh_token" ], "response_types": [ "code", "none" ], ...
Do you know any compliant openid provider that is able to handle this topic?
Thanks a lot for your help,
Alexandre.
-
e.g. https://github.com/panva/node-oidc-provider, where a property’s default value is only applied when the property is missing from the request, as i believe it should be
npm i -g openid-client-cli openid-client create https://guarded-cliffs-8635.herokuapp.com/reg response_types=[] redirect_uris=[] grant_types=[client_credentials] | jq # omitting irrelevant properties from the response # { # "grant_types": [ # "client_credentials" # ], # "response_types": [], # "token_endpoint_auth_method": "client_secret_basic", # "client_id_issued_at": 1559119533, # "client_id": "w_hDN6mt7SL94XLPnRJmt", # "client_secret_expires_at": 0, # "client_secret": "OrnnAIBeWe-1vjJAhuqhb8cZeLOZMKp-2vkYOWdXhpLdXfotMhH6g9uFCoH6hNx8x67ESIAGaALxVfEs3mqtpA", # "redirect_uris": [] # }
-
reporter - changed status to resolved
Thanks for your support.
- Log in to comment
While the property is required it’s okay for it to be empty. E.g. to register a device flow client one would send a payload like this
It’s similar with client_credentials (change the auth method, replace grant types, remove application type?).