OP specific information

[Roland Hedberg]

Hi!

A question for you to ponder.

In the OAuth2 security best practices document there is this statement:

"Clients SHOULD use distinct redirect URIs for each authorization server”

If the metadata consumer is known it’s easy to craft the metadata to contain OP specific information 

but if the consumer is unknown this is impossible.

If the RP is doing explicit registration this is not a problem (since the consumer is known) but if automatic registration is

used then the only way I can see to handle this is to provide OP specific client_id/entityIDs in the authorization request.

There is nothing in the specification that says that an entity can only have one entity ID.

Thoughts ?

— Roland