jogu
commented
1 month ago The redirect_uri scheme has seen a pattern of use in early implementations/interops due to the simplicity of it. We probably shouldn't remove it without adding something similarly lightweight instead, e.g. the well-known based scheme suggested in https://github.com/openid/OpenID4VP/issues/82
As per discussion in #263 I believe we should remove this Client ID scheme because there is no way to get authoritative metadata for the client which isn't open to un-detectable manipulation by the requestor impersonating the client. Put another way, with the redirect_uri client ID scheme there is no way to sign the request, have pre-registered metadata about the client nor a trusted way to resolve the clients metadata from a URL, thus meaning any client metadata reported in the client metadata parameter is entirely self-attested metadata about the client set by the requestor.