On Mon, Jul 8, 2024 at 10:15 AM Emelia Smith <eme...@brandedcode.com> wrote:
> Just to follow up on this, further: > > > 1. If an AS supports both registered, and unregistered clients, is > there any guidance or requirements on differentiating between them such as > NOT issuing other identifiers that start with 'https"? > > > > This is probably a good call-out. I am unsure about how many AS's > would actually support both types of clients in practice though. > > In practice you're not checking for "https" but "https://";, furthermore > most implementations use random bytes, often base64url or hex encoded, so > they simply don't have the character set necessary to generate client_id's > that are also valid URIs (or at least, the probability of this is > incredibly small) > Agree on the "https://"; -- that was what I intended. There may be ASes that use URLs as identifiers. I don't know of any. Not having thought it all through, I might allow a developer to "claim" a "https://"; client_id so that they could have more functionality, for example to enable localhost or access to more sensitive data. Thanks for this work Emelia! Will you be in Vancouver IETF? /Dick
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
