Hi Mario,
Am 07.11.22 um 11:27 schrieb Mario Loffredo:
I'm very busy Wednesday but, hopefully, I should be free for that time.
Great you can make it.
After a quick reading, a first big doubt from my side is about what is
stated in section 4 regarding "redirect URIs".
Browser-based applications:
* MUST Register one or more redirect URIs, and use only exact
registered redirect URIs in authorization requests
Now, it's clear to me that, in the OpenID model we are working on, the
RDAP server acts as an RP and is the one submitting requests to th AS
but it can't use a fixed set if redirect_uri values.
Yes, the security considerations part is still open. Applicability
mostly depends on whether there are confidential and/or registered
clients or not. If clients are anonymous there are certain risks related
to the redirect_uri, which can only to some degree be mitigated.
Kind Regards,
Pawel
_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext
