Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-27300

Allow to relax the mandatory aspect of the "redirect URIs" field when registering an OAuth 2 client



    • Type: Improvement
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: QualifiedToSchedule
    • Component/s: OAuth


      Since NXP-22183, when registering an OAuth 2 client through the JSF UI, setting at least one redirect URI is mandatory.

      This matches the requirements defined by https://tools.ietf.org/html/rfc6749#section-

      The authorization server MUST require the following clients to
      register their redirection endpoint:

      • Public clients.
      • Confidential clients utilizing the implicit grant type.

      Yet, in the case of a confidential client using the JWT bearer grant type, e.g. Arender, the redirect URI shouldn't be mandatory as the authorization endpoint is never invoked (only one call to /oauth2/token).

      Maybe we could add a notion of client type, depending on which the redirect URIs would be mandatory or not?

      Will have to update both the JSF part and the REST API endpoints added by NXP-22589.


          Issue Links



              • Votes:
                0 Vote for this issue
                1 Start watching this issue


                • Created: