Skip to content

Remove the client_metadata_uri authorization parameter #210

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 18, 2024
Merged

Remove the client_metadata_uri authorization parameter #210

merged 1 commit into from
Jul 18, 2024

Conversation

@jogu
Copy link
Collaborator

@jogu jogu commented Jul 11, 2024

There are undocumented & unsolved security issues around client_metadata_uri (#14) and further concerns that it's not clear what client metadata parameters can actually be used in it (#17), and from the feedback we have received so far it seems no one is relying on it.

closes #202
closes #14

@jogu
Remove the client_metadata_uri authorization parameter
c169b5e 
There are undocumented & unsolved security issues around client_metadata_uri
(#14) and further concerns that it's not clear what client metadata
parameters can actually be used in it (#17), and from the feedback we
have received so far it seems no one is relying on it.

closes #202
closes #14
jogu
jogu commented Jul 11, 2024
View reviewed changes
openid-4-verifiable-presentations-1_0.md

The Verifier communicates a Client Identifier Scheme that indicate how the Wallet is supposed to interpret the Client Identifier and associated data in the process of Client identification, authentication, and authorization using `client_id_scheme` parameter. This parameter enables deployments of this specification to use different mechanisms to obtain and validate Client metadata beyond the scope of [@!RFC6749]. A certain Client Identifier Scheme MAY require the Verifier to sign the Authorization Request as means of authentication and/or pass additional parameters and require the Wallet to process them.

Depending on the Client Identifier Scheme, the Verifier can communicate a JSON object with its metadata using `client_metadata` and `client_metadata_uri` parameters that contain name/value pairs defined in Section 4.3 and Section 2.1 of the OpenID Connect Dynamic Client Registration 1.0 [@!OpenID.Registration] specification as well as [@!RFC7591]. The parameter names include a term `client` since the Verifier is acting as an OAuth 2.0 Client.
Copy link
Collaborator Author

@jogu jogu Jul 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed "The parameter names include a term client since the Verifier is acting as an OAuth 2.0 Client" because it felt like it was in the wrong place, it doesn't seem necessary to introduce "verifier is a client" here when the previous paragraph already talks about client.

@Sakurann Sakurann requested review from awoie, bc-pi and tplooker July 11, 2024 15:55
@Sakurann Sakurann merged commit 20866dd into main Jul 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@peppelinux peppelinux peppelinux approved these changes

@c2bo c2bo c2bo approved these changes

@Sakurann Sakurann Sakurann approved these changes

@tplooker tplooker Awaiting requested review from tplooker

@awoie awoie Awaiting requested review from awoie

@bc-pi bc-pi Awaiting requested review from bc-pi

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Remove client_metadata_uri authorization parameter client_metadata_uri security considerations

5 participants

@jogu @peppelinux @c2bo @Sakurann