1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

Registration - 2 - Client metadata Redirect_uris as OPTIONAL

Issue #1090 resolved
alexandre faria created an issue

Currently the redirect_uris client metadata is set as REQUIRED, which seems obvious according to the grant_types description which focus only on authorization_code and implicit.

But according to the Discovery specification, we may support other grant types. If we support the client_credentials grant type, there is no need of redirect_uris.

Could we update the specification in order to put this metadata as optional only if a supported grant_type has been requested and that does not require redirect_uris matching.

If we do so, then that impact also the response_types and grant_types that should not respectively be set to code & authorization_code by default.

Especially that having authorization_code and client_credentials on the same client is not recommended. We should then add a security appendix for advising not to mix in the same client some grant type that required a redirect_uri and some others that do not. Ex: do not mix authorization_code and client_credentials in the same client.

Comments (4)

  1. Filip Skokan

    While the property is required it’s okay for it to be empty. E.g. to register a device flow client one would send a payload like this

    {
  grant_types: ['urn:ietf:params:oauth:grant-type:device_code', 'refresh_token'],
  response_types: [],
  redirect_uris: [],
  token_endpoint_auth_method: 'none',
  application_type: 'native'
}

    It’s similar with client_credentials (change the auth method, replace grant types, remove application type?).

  2. alexandre faria reporter

    Thanks for your response, I am trying this on several open source solutions, but I have in all case this kind of responses : 

    "redirect_uris": [],
"token_endpoint_auth_method": "client_secret_basic",
"grant_types": [
    "authorization_code",
    "client_credentials",
    "refresh_token"
],
"response_types": [
    "code",
    "none"
],
...

    Do you know any compliant openid provider that is able to handle this topic?

    Thanks a lot for your help,

    Alexandre.

  3. Filip Skokan

    e.g. https://github.com/panva/node-oidc-provider, where a property’s default value is only applied when the property is missing from the request, as i believe it should be

    npm i -g openid-client-cli
openid-client create https://guarded-cliffs-8635.herokuapp.com/reg response_types=[] redirect_uris=[] grant_types=[client_credentials] | jq

# omitting irrelevant properties from the response
# {
#   "grant_types": [
#     "client_credentials"
#   ],
#   "response_types": [],
#   "token_endpoint_auth_method": "client_secret_basic",
#   "client_id_issued_at": 1559119533,
#   "client_id": "w_hDN6mt7SL94XLPnRJmt",
#   "client_secret_expires_at": 0,
#   "client_secret": "OrnnAIBeWe-1vjJAhuqhb8cZeLOZMKp-2vkYOWdXhpLdXfotMhH6g9uFCoH6hNx8x67ESIAGaALxVfEs3mqtpA",
#   "redirect_uris": []
# }
  5. Log in to comment
Assignee
Type
proposal
Priority
trivial
Status
resolved
Component
Registration
Milestone
Errata
Version
Votes
0
Watchers
0
Jira Software: the preferred issue tracker for Bitbucket. Join the team!