Should data uri be allowed as logo_uri ?

aaronpk / draft-parecki-oauth-client-id-metadata-document

Other

1 stars 1 forks source link

Should data uri be allowed as logo_uri ? #19

Open matthieusieben opened 2 months ago

matthieusieben commented 2 months ago

If so, how would it impact the size limit of the whole metadata document ?

ThisIsMissEm commented 2 months ago

I would argue that data URIs should not be used in the metadata documents, and only https URIs should be used. If you did wish to support data URIs, then it would obviously increase the size limit you'd need for the whole metadata document .

That's why I went with a non-binding size limit recommendation of 5kb, because I'm aware that there can be certain scenarios where the document may be bigger, particularly with localisation of fields and such.

matthieusieben commented 1 month ago

Well, one advantage of data-uri is that it is easier to let the AS "allow list" a particular image for a particular client, and show that image to the user while authorizing.

When an HTTPS uri is used, the actual file served could be different for the AS and USER, which could help performing phishing attacks.

matthieusieben commented 1 month ago

But I agree that the effect on the document size is not ideal...

ThisIsMissEm commented 1 month ago

When an HTTPS uri is used, the actual file served could be different for the AS and USER, which could help performing phishing attacks.

This is true, but linking directly to a remote file on a security sensitive page would not be advisable; Instead I'd recommend AS's cache media assets such as the application logo