Could you say more about the scenario where this would be likely to happen?
On Fri, Mar 27, 2026, 18:38 Bernard Desruisseaux <bernard.desruisseaux= [email protected]> wrote: > While the Client ID Metadata Document is intended to enable authorization > servers to obtain client metadata, it occurred to me that client developers > might be tempted to use their own CIMD as local configuration. > > I think it would be worthwhile to add a paragraph to the Security > Considerations section to discourage that use. A client that relies on the > redirect_uris from its own CIMD could cause authorization servers to send > an authorization code to an attacker-controlled endpoint if the CIMD is > ever compromised, even if the authorization server performs exact redirect > URI matching. The use of PKCE may reduce the impact of authorization code > disclosure, but it does not eliminate the need to protect redirect handling > and related metadata. > > Thanks, > Bernard > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
