-
assigned issue to
SIOP v2-06: redirect_uri in signed requests
Section 10.2 states for signed authentication requests:
In this case,
client_id
MUST NOT equalredirect_uri
.
In contrast to this Section 11 reads for the redirect_uri
:
REQUIRED. MUST equal the
client_id
value. MUST be included for compatibility reasons.
It is not clear to me what the exact requirements on the redirect_uri
are, when the request is signed.
OpenID Connect Core Section 6 allows to just sign parts of the request to form a request object and pass some request parameters “using the OAuth 2.0 request syntax“. Does “the Self-Issued OP request is signed“ in Section 10.2 mean ALL request parameters MUST be contained in the signed request (- in particular, the redirect_uri
is part of / duplicated in the signed request)?
I suggest to make the language in Section 10.2 more explicit to clarify this.
Comments (3)
-
-
- changed status to open
please review PR #115, in particular this commit: https://bitbucket.org/openid/connect/commits/a2ddf353ee1515d0be8f5eddf15b412e5053da70
-
- changed status to resolved
PR #115 merged
- Log in to comment
Editors believe this is an editorial clarification issue and does not change normative intention of a specification. PR will be created to be merged before official Implementer’s draft voting period begins on Feb 1st.