Issue #1290 open
Assuming SIOP v1 and v2 are distinct protocols, we should consider removing the adhoc registration scheme rather than inheriting to SIOP v2.
- The reason to allow for non-authoritative registration metadata was due to there not being a scheme to resolve client metadata in OpenID originally. With OpenID Connect Federation, we now have a defined system of automatic registration via client metadata resolution
- Having a single format for registration (via automatic client registration as defined in OpenID Connect Federation) will simplify SIOP implementations.
- There are distinct issues with the registration query parameter, such as the ability to maliciously capture id_tokens if the registration metadata is trusted to provide certain values, such as alternative redirect_uri.
This proposal would be to:
- Remove registration and registration_uri as acceptable parameters for SIOP v2, making them exclusive to SIOP v1.
- client_id should be used to resolve OpenID Federation entity metadata, rather than being required to be a redirect_uri. Discussion on how this might be done for non-HTTPS scheme URI (such as DIDs) at Issue #1289.