Right now, the plugin looks for an existing client for the dynamic client by using it's software_id. We should think through the possible ramifications for this, and if it is the correct way to de-duplicate.
For instance, what could happen if an attacker created a client with someone else's software_id.
@rmccue brought up looking at redirect_uris to handle browser based clients ( IIRC ).
Right now, the plugin looks for an existing client for the dynamic client by using it's
software_id
. We should think through the possible ramifications for this, and if it is the correct way to de-duplicate.For instance, what could happen if an attacker created a client with someone else's
software_id
.@rmccue brought up looking at
redirect_uris
to handle browser based clients ( IIRC ).