Passed ctx into id factory #455
Conversation
@panva Do you think that this change would be in the spirit of the openid standards? Here's the use case: I would like to generate client_ids based on the Origin header during dynamic registration. I'll then use the client_id to validate if provided redirect URLs are valid (only redirect urls with the same hostname as the client_id will be allowed). I know that "it’s best that it isn’t guessable by third parties" (https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/), but putting the extra restriction on the redirect should negate that weakness. For more information on the reasoning behind this, see this thread (solid/webid-oidc-spec#12 (comment))
Codecov Report
@@ Coverage Diff @@
## master #455 +/- ##
=======================================
Coverage 99.11% 99.11%
=======================================
Files 164 164
Lines 4496 4496
=======================================
Hits 4456 4456
Misses 40 40 |
|
Not being familiar with WebID i think it shouldn't go the route of dynamic registrations for what are essentially throw-away clients, aren't they? Is there a point in keeping the client around when the end-user authenticates? It could take inspiration from Self-Issued OpenID Provider. A client registration is done on the fly as part of the authorization request with the I could be wrong tho. The change itself I don't have a problem with but it looks smelly, like a one-off serving that exact use case and none other so i'll go ahead and close while trying to think of something general, e.g. not having the factories called from the registration route but rather the Client model itself when it already has all the other metadata assigned. |
|
@panva Thanks for pointing out the self-issued OpenID provider specs. I think that's probably what we want to follow. Do you think my update makes sense for this use case? |
@panva Do you think that this change would be in the spirit of the openid standards?
Here's the use case: I would like to generate client_ids based on the Origin header during dynamic registration. I'll then use the client_id to validate if provided redirect URLs are valid (only redirect urls with the same hostname as the client_id will be allowed). I know that "it’s best that it isn’t guessable by third parties" (https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/), but putting the extra restriction on the redirect should negate that weakness.
For more information on the reasoning behind this, see this thread (solid/webid-oidc-spec#12 (comment))