warn against using structured client_ids

oauth-wg / oauth-v2-1

OAuth 2.1 is a consolidation of the core OAuth 2.0 specs

https://oauth.net/2.1/

Other

53 stars 27 forks source link

warn against using structured client_ids #35

Closed aaronpk closed 1 year ago

aaronpk commented 3 years ago

from Vittorio:

Wondering whether a warning against structured client_ids (eg identifiers assembled thru some string template, like developer name+region+serial) would be in order. Perhaps in the security considerations?

dickhardt commented 3 years ago

What is Vittorio's concern? Leakage of metadata? An attacker can construct a client_id?