Thanks for the response Emelia, my comments inline On Mon, Sep 29, 2025 at 7:28 PM Emelia S. <[email protected]> wrote:
> Hi Dick, > > I've addressed the issue with redirects by prohibiting them in > https://github.com/aaronpk/draft-parecki-oauth-client-id-metadata-document/pull/46 > (I don't think there's a case where a Client ID Metadata Document URI > being a redirect would be valid, since the document URI would likely not > match the `client_id` value then) > lgtm -- thanks > > Where in the document is it described what is passed in the authorization > request? > > > Is this not covered in Sections 3 and 4 by specifying it is a Client > Identifier and the following: > > The authorization server SHOULD fetch the document indicated by the > client_id to retrieve the client registration information. > > Perhaps we could add in there the words "fetch the document indicated by > the client_id during the authorization request", though a concern here is > that this may limit compatibility with PARs and similar flows that aren't > just the usual authorization endpoint flow. > You don't need normative language on exactly how the AS received the client_id -- perhaps: When the AS receives a client_id either through an authorization request, a pushed authorization request, or similar flow, the AS fetches the document indicated by the client_id if it is not available in cache. Something to help the reader tie together how the client_id was acquired and that it is the value of the client_id parameter (and not client_uri) that is being used to fetch the document > > There is actually no relationship between `client_id` and `client_uri` > though an AS may choose to impose restrictions or a relationship here for > added security (e.g., an AS could request the `client_uri` and assert that > it links back to the `client_id` document via link relations). The > `client_uri` is the website of the Client, which may be the client itself, > or may just be an informational website about the client. > Perhaps rename the title of 6.1 Authorization Server Restrictions on client_id, client_uri, and redirect_uri Values
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
