I can attest that given a large enough pool of clients, any unusual behavior you can imagine will be implemented by at least one of them. :)
On Fri, Mar 27, 2026 at 10:52 AM Warren Parad <wparad= [email protected]> wrote: > Could you say more about the scenario where this would be likely to happen? > > On Fri, Mar 27, 2026, 18:38 Bernard Desruisseaux <bernard.desruisseaux= > [email protected]> wrote: > >> While the Client ID Metadata Document is intended to enable authorization >> servers to obtain client metadata, it occurred to me that client developers >> might be tempted to use their own CIMD as local configuration. >> >> I think it would be worthwhile to add a paragraph to the Security >> Considerations section to discourage that use. A client that relies on the >> redirect_uris from its own CIMD could cause authorization servers to send >> an authorization code to an attacker-controlled endpoint if the CIMD is >> ever compromised, even if the authorization server performs exact redirect >> URI matching. The use of PKCE may reduce the impact of authorization code >> disclosure, but it does not eliminate the need to protect redirect handling >> and related metadata. >> >> Thanks, >> Bernard >> _______________________________________________ >> OAuth mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
