Formally require OAuth client_id to match the origin of the redirect_uri

Question

Formally require OAuth client_id to match the origin of the redirect_uri

raucao opened this issue 4 years ago · 0 comments

We already decided this to be best practice, and most server implementations require the client ID to match the origin of the redirect URI. However, it is not documented properly, and currently the spec actually says that the client ID should be ignored entirely by the server:

The server MAY expire bearer tokens, and MAY require the user to
register applications as OAuth clients before first use; if no
client registration is required, the server MUST ignore the value of
the client_id parameter in favor of relying on the origin of the
redirect_uri parameter for unique client identification. See section
4 of [Section 4: Origin of a URI"">ORIGIN] for computing the origin.

(Maybe someone can find the conversation where we decided to change this behavior, and then failed to update the spec.)

@jcoglan just ran into this change with an old app of his, which now fails to connect 5apps accounts.