client_metadata_uri security considerations
Issue #1761
resolved
Raised by George: “should we have some “security considerations” about following unknown URIs? For example, is there a requirement that the domain of the client_id be the same as the domain of the client_metadata_uri?” (original issue comment)
Comments (4)
-
-
I don’t know if this issue was already resolved by a PR
anyway, the client_metadata_uri should be built starting from the client_id if this is an https URL, and I would suggest a .well-known endpoint
-
reporter that might be a good option. I am not sure if this will limit any DID based deployments - guess they just use
client_metadata
parameter if needed. -
- changed status to resolved
Migrated to GitHub
- Log in to comment
In OIDC Federation we have a .well-known webpath appended to the client_id url