While the Client ID Metadata Document is intended to enable authorization servers to obtain client metadata, it occurred to me that client developers might be tempted to use their own CIMD as local configuration.
I think it would be worthwhile to add a paragraph to the Security Considerations section to discourage that use. A client that relies on the redirect_uris from its own CIMD could cause authorization servers to send an authorization code to an attacker-controlled endpoint if the CIMD is ever compromised, even if the authorization server performs exact redirect URI matching. The use of PKCE may reduce the impact of authorization code disclosure, but it does not eliminate the need to protect redirect handling and related metadata. Thanks, Bernard _______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
