Agreed, that is not the intent of CIMD so is probably worth calling out. On Fri, Mar 27, 2026 at 10:38 AM Bernard Desruisseaux <bernard.desruisseaux= [email protected]> wrote:
> While the Client ID Metadata Document is intended to enable authorization > servers to obtain client metadata, it occurred to me that client developers > might be tempted to use their own CIMD as local configuration. > > I think it would be worthwhile to add a paragraph to the Security > Considerations section to discourage that use. A client that relies on the > redirect_uris from its own CIMD could cause authorization servers to send > an authorization code to an attacker-controlled endpoint if the CIMD is > ever compromised, even if the authorization server performs exact redirect > URI matching. The use of PKCE may reduce the impact of authorization code > disclosure, but it does not eliminate the need to protect redirect handling > and related metadata. > > Thanks, > Bernard > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
