Skip to content

Add Accept header requirement when fetching Client Metadata #51

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ThisIsMissEm wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add Accept header requirement when fetching Client Metadata #51

ThisIsMissEm wants to merge 1 commit into from

Conversation

@ThisIsMissEm
Copy link
Contributor

@ThisIsMissEm ThisIsMissEm commented Sep 29, 2025

This was noted in #30 (comment)

This pull request will conflict with #46

Is there any RFC we should specifically reference here with regards to the Accept header?

@ThisIsMissEm ThisIsMissEm mentioned this pull request Sep 29, 2025
Open
@aaronpk aaronpk added this to the Draft -01 milestone Nov 7, 2025
OR13
OR13 reviewed Nov 18, 2025
View reviewed changes
draft-parecki-oauth-client-id-metadata-document.md

The authorization server SHOULD fetch the document indicated by the `client_id`
to retrieve the client registration information.
to retrieve the client registration information. The Authorization Server MUST
Copy link

@OR13 OR13 Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why MUST? Typically a server can ignore the accept header and return whatever it wants... perhaps it is better to specify this as:

When the client_id is an HTTP Resource identifier, the Client ID Metadata Document Service MUST respond with a Content-Type header of application/json.

Also not sure if this fetching is supposed to work over protocols that do not support headers.

Copy link
Contributor Author

@ThisIsMissEm ThisIsMissEm Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a MUST for the reasons noted in #30 — the CIMD Service is also entirely optional. Having the AS send the Accept header, even if the server hosting the CIMD ignores it, allows at least for servers to go "nah, we really don't accept that request" and allow for early termination.

Copy link
Contributor Author

@ThisIsMissEm ThisIsMissEm Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We also already have language around the response content-type in the document.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aaronpk aaronpk Awaiting requested review from aaronpk aaronpk is a code owner

1 more reviewer

@OR13 OR13 OR13 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

Draft -01

Development

Successfully merging this pull request may close these issues.

3 participants

@ThisIsMissEm @OR13 @aaronpk