openid / connect / issues / #1761 - client_metadata_uri security considerations — Bitbucket

Issue #1761 resolved

Kristina Yasuda created an issue 2022-12-29

Raised by George: “should we have some “security considerations” about following unknown URIs? For example, is there a requirement that the domain of the client_id be the same as the domain of the client_metadata_uri?” (original issue comment)

Comments (4)

Giuseppe De Marco
In OIDC Federation we have a .well-known webpath appended to the client_id url
- 2022-12-29T22:07:52+00:00
Giuseppe De Marco
I don’t know if this issue was already resolved by a PR

anyway, the client_metadata_uri should be built starting from the client_id if this is an https URL, and I would suggest a .well-known endpoint
- 2023-06-22T17:44:37+00:00
Kristina Yasuda reporter
that might be a good option. I am not sure if this will limit any DID based deployments - guess they just use client_metadata parameter if needed.
- 2023-06-29T05:29:12+00:00
Mark Haine
- changed status to resolved
Migrated to GitHub

https://github.com/openid/OpenID4VP
- 2023-09-01T17:35:16+00:00
Log in to comment

Assignee: –

Type: bug

Priority: major

Status: resolved

Component: Verifiable Presentation

Milestone: –

Version: –

Votes: 0

Watchers: 1

Jira: the preferred issue tracker for Bitbucket. Join the team!