solid-oidc icon indicating copy to clipboard operation
solid-oidc copied to clipboard
verified publisher icon solid

Make CliendID URIs a MUST

Open elf-pavlik opened this issue 1 year ago • 2 comments

This is intended as a conversation starter. If we want to have proper client constraints, for example, acp:client, we need reliable global identifiers for clients. DynReg could be useful during early development, but production systems must always use URIs to denote clients. This way, the redirect_uri gets verified.

related:

  • https://github.com/solid/security-considerations/issues/17

elf-pavlik avatar Jun 27 '24 19:06 elf-pavlik

I think (hope) we can still make client-side web apps work securely though, if we resume work on https://github.com/solid/webid-oidc-spec/pull/34

michielbdejong avatar Jan 14 '25 09:01 michielbdejong

By client-side web apps I mean the "client" is the code running in a specific tab in a specific window of a specific browser on a specific device, even if its source code has a global identifier. Similar for smartphone apps.

michielbdejong avatar Jan 14 '25 09:01 michielbdejong