Closed eliaslevy closed 10 years ago
It enforces name uniqueness because the name is pretty much the only useful piece of information you can display to the resource owner about which client they're granting access to. If you allow other clients to be registered with the same name, you can abuse the trust the user has in that name to attack them.
That presumes you are only displaying the client name to the user and not also the owner's name, but I understand your reasoning for the default use case.
On Thursday, August 8, 2013, James Coglan wrote:
It enforces name uniqueness because the name is pretty much the only useful piece of information you can display to the resource owner about which client they're granting access to. If you allow other clients to be registered with the same name, you can abuse the trust the user has in that name to attack them.
— Reply to this email directly or view it on GitHubhttps://github.com/songkick/oauth2-provider/issues/57#issuecomment-22312488 .
Songkick:: OAuth2::Model::Client enforces the uniqueness of the client name across all clients. This appears to be an undue restriction. Client's are scoped by their owner, and in some instances its perfectly valid for different owner to use the same client name.
Are you open scoping the name uniqueness check by the client owner?