Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-27300

Allow to relax the mandatory aspect of the "redirect URIs" field when registering an OAuth 2 client

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: QualifiedToSchedule
    • Component/s: OAuth

      Description

      Since NXP-22183, when registering an OAuth 2 client through the JSF UI, setting at least one redirect URI is mandatory.

      This matches the requirements defined by https://tools.ietf.org/html/rfc6749#section-3.1.2.2:

      The authorization server MUST require the following clients to
      register their redirection endpoint:

      • Public clients.
      • Confidential clients utilizing the implicit grant type.

      Yet, in the case of a confidential client using the JWT bearer grant type, e.g. Arender, the redirect URI shouldn't be mandatory as the authorization endpoint is never invoked (only one call to /oauth2/token).

      Maybe we could add a notion of client type, depending on which the redirect URIs would be mandatory or not?

      Will have to update both the JSF part and the REST API endpoints added by NXP-22589.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:

                  PagerDuty

                  Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.