Open elf-pavlik opened 1 year ago
My take on dynamic client registration is that Solid-OIDC absolutely should not require it. Solid-OIDC should also not forbid it.
Between MAY and SHOULD, I think MAY is the better option. Dynamic client registration is useful in certain contexts, but generally, the use of client identifiers is much better.
This is one of the issues raised in a conversation with @dteleguin
5.2. OIDC Registration
The spec doesn't say clearly if the OIDC Provider MUST, SHOULD, or MAY support Dynamic Registration.
I don't think OP MUST provide DynReg and we should clarify it with explicit SHOULD or MAY.
As far as I recall, Keycloack would need to enable CORS on the Client Registration Endpoint to work with Solid-OIDC. Leaving DynReg optional should result in more fully conformant OPs.