NXP-22183, when registering an OAuth 2 client through the JSF UI, setting at least one redirect URI is mandatory.
This matches the requirements defined by https://tools.ietf.org/html/rfc6749#section-220.127.116.11:
The authorization server MUST require the following clients to
register their redirection endpoint:
- Public clients.
- Confidential clients utilizing the implicit grant type.
Yet, in the case of a confidential client using the JWT bearer grant type, e.g. Arender, the redirect URI shouldn't be mandatory as the authorization endpoint is never invoked (only one call to /oauth2/token).
Maybe we could add a notion of client type, depending on which the redirect URIs would be mandatory or not?
Will have to update both the JSF part and the REST API endpoints added by