Don't show redirect_uri on consent screen if not HTTP #1736
Conversation
Because we don't know if it is validated by the OS at all and so could be misleading to the user
Deploying with
|
| Latest commit: |
4010732
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://2bbefd94.matrix-authentication-service-docs.pages.dev |
| Branch Preview URL: | https://hughns-hide-redirect-uri-if.matrix-authentication-service-docs.pages.dev |
There was a problem hiding this comment.
For now it is the only bit of minuscule trust we can put on that screen, and I don't want to get rid of it, even though it is flawed.
I would suggest showing at the very least the client_uri, since:
- the OIDC dynamic reg spec says about it:
If present, the server SHOULD display this URL to the End-User in a followable fashion.
- the RFC for native apps says (and we're enforcing it):
When choosing a URI scheme to associate with the app, apps MUST use a URI scheme based on a domain name under their control, expressed in reverse order
Moreover, EXI is working towards using universal links anyway, so for Element clients it becomes completely irrelevant
The problem is that nothing is validating that the given domain is under control of the app owner. The app can choose any domain and give a matching As such, displaying a reverse domain is of zero benefit. What is the trust that showing it brings? Where the value is validated I do see benefit in showing it which is why my PR shows it if it is an HTTP URI. |
Because we don't know if it is validated by the OS at all and so could be misleading to the user