dex icon indicating copy to clipboard operation
dex copied to clipboard
verified publisher icon dexidp

allow empty redirect uris for confidential clients

Open kcolford opened this issue 1 year ago • 3 comments

Overview

Allow confidential clients to not require pre-registering their redirect URIs.

What this PR does / why we need it

The standards do not require that confidential clients have preregistered redirect URIs, that requirement is only for public clients. While confidential clients SHOULD use pre-configured redirect URIs, they are not essential their security. We also will not adopt wildcards in redirect URIs as per #448 since that would be an explicit violation of the standard.

Special notes for your reviewer

kcolford avatar Sep 30 '24 19:09 kcolford

@nabokihms for review

kcolford avatar Mar 22 '25 20:03 kcolford

Just chiming in to say that this is a really useful addition to dex, and its a shame the previous PRs:

  • #448
  • #1783

were all closed without merging

TomHellier avatar Apr 16 '25 07:04 TomHellier

@sagikazarmark could you please review this PR?

kcolford avatar Aug 20 '25 21:08 kcolford