search

solid / solid-oidc

The repository for the Solid OIDC authentication specification.
https://solid.github.io/solid-oidc/
MIT License
19 stars 13 forks source link

Dynamic Registration requirement level for OP #216

Open elf-pavlik opened 1 year ago

elf-pavlik commented 1 year ago

This is one of the issues raised in a conversation with @dteleguin

5.2. OIDC Registration

For non-dereferencable identifiers, the Client MUST present a client_id value that has been registered with the OP via either OIDC dynamic or static registration. See also [OIDC-DYNAMIC-CLIENT-REGISTRATION].

When requesting Dynamic Client Registration, the Client MUST specify the scope in the metadata and include webid in its value (space-separated list).

The spec doesn't say clearly if the OIDC Provider MUST, SHOULD, or MAY support Dynamic Registration.

I don't think OP MUST provide DynReg and we should clarify it with explicit SHOULD or MAY.

As far as I recall, Keycloack would need to enable CORS on the Client Registration Endpoint to work with Solid-OIDC. Leaving DynReg optional should result in more fully conformant OPs.

acoburn commented 1 year ago

My take on dynamic client registration is that Solid-OIDC absolutely should not require it. Solid-OIDC should also not forbid it.

Between MAY and SHOULD, I think MAY is the better option. Dynamic client registration is useful in certain contexts, but generally, the use of client identifiers is much better.