openid
use of redirect_uri prefix unclear
The specification is unclear about what to do when redirect_uri parameter (or response_uri for that matter) and the Client Identifier Prefix redirect_uri are both present and do not match.
Section 8.2 states that response_uri or redirect_uri parameter when present MUST be used. Therefore section 5.9.3 should note under redirect_uri that the parameter if present takes priority or mention that an error response (which?) is to be sent.
If I'm understanding the question correctly, then essentially if the redirect_uri parameter doesn't match the url in the redirect_uri: client id then essentially client authentication has failed and the wallet definitely shouldn't automatically redirect to the url.
I might be missing something, but doesn't "Requests using the redirect_uri Client Identifier Prefix cannot be signed because there is no method for the Wallet to obtain a trusted key for verification." mean there is no client authentication in this case (redirect_uri: client identifier prefix)?
Returning an error to either URL would indeed be illogical. Still, how to proceed when such an inconsistency occurs? Technically ignoring this and use the parameter instead of the client_id is possible, but displaying an error to the user seems more sensible to me.
I might be missing something, but doesn't "Requests using the redirect_uri Client Identifier Prefix cannot be signed because there is no method for the Wallet to obtain a trusted key for verification." mean there is no client authentication in this case (redirect_uri: client identifier prefix)?
That's what I meant be 'essentially client authentication failing'. It's an invalid request, yes.
Returning an error to either URL would indeed be illogical. Still, how to proceed when such an inconsistency occurs? Technically ignoring this and use the parameter instead of the client_id is possible, but displaying an error to the user seems more sensible to me.
Yes, displaying an error is the sensible outcome.