[NXP-27300] Allow to relax the mandatory aspect of the "redirect URIs" field when registering an OAuth 2 client - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Improvement
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: QualifiedToSchedule
Component/s: OAuth

Tags:
- nxfit

Description

Since ~~NXP-22183~~, when registering an OAuth 2 client through the JSF UI, setting at least one redirect URI is mandatory.

This matches the requirements defined by https://tools.ietf.org/html/rfc6749#section-3.1.2.2:

The authorization server MUST require the following clients to
register their redirection endpoint:

Public clients.

Confidential clients utilizing the implicit grant type.

Yet, in the case of a confidential client using the JWT bearer grant type, e.g. Arender, the redirect URI shouldn't be mandatory as the authorization endpoint is never invoked (only one call to /oauth2/token).

Maybe we could add a notion of client type, depending on which the redirect URIs would be mandatory or not?

Will have to update both the JSF part and the REST API endpoints added by ~~NXP-22589~~.

Attachments

Issue Links

is related to

NXP-22589 Allow to handle OAuth2 clients in the Web UI Admin Center + improve token management

Resolved

NXP-22183 OAuth2: rework consumer registration

Resolved

Activity

People

Assignee:

Unassigned

Reporter:

Antoine Taillefer

Participants:

Antoine Taillefer

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

2019-04-29 13:12

Updated:

2019-04-29 13:12