We would like the client to be able to register an url for accessing the application.
We expect our OP to have the url available at the end-users associated RPs page.
How is this different from js_origin_uri?
We do not understand what you are asking for.
Is the URI intended for human or programmatic consumption?
Please provide a normative text change.
Sorry for the delay.
It's for human consumption along with application_name.
The OP can then provide the End-User with a non-technical links to his registered RPs (for maintenance, convenience and anti-phishing).
Not required for implementers draft. Review later.
Changing it to on-hold instead.
The problem with this is that it would require a method of validating that the display value is actually associated with the RP. The return_to URL at least is validated. Adding this likely introduces more security issues than it fixes.
Agreed. This would probably cause security problem.