-
|
Rauthy provides .well-known/openid-configuration but when looking that one up it shows amongst other things all grant types. But for specific clients, only some grant types are enabled. Is there a client-specific discovery document as well? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
No. If a client simply requests all available ones, it's actually a bad client. It should only request the ones that it actually needs and should have access to, and you usually configure the For instance, only because I "support" posting my social security number here on Github, because I have this information available, it's not a good idea to actually do that and others have no right to request it. |
Beta Was this translation helpful? Give feedback.
-
|
I don't have an idea in what kind of situation such a client specific document would be necessary or even helpful, but if you have a valid use case and it makes sense, it could be added pretty easily I guess. The generic config exists in this place to provide auto-lookups for all URLs usually. With a specific location, the auto-lookup would be impossible and you need to specifiy it manually again. So I guess you would even lose features. |
Beta Was this translation helpful? Give feedback.
-
|
That makes sense. I didn't have any specific use-case in mind. I was looking at the Miniflux OIDC docs and I noticed that for Authentik they have application specific URLs. Those are separate from the client ID best I can tell, but I got curious. I also remember Keycloak having discovery documents per realm, so I was curious if there was some kind of client-specific document as well. |
Beta Was this translation helpful? Give feedback.
-
Rauthy doesn't have realms. Different ones per realm make sense. Another "realm" for Rauthy would be a 2nd deployment. But Rauthy is also a lot more strict on these. Other IdPs just allow everything, as long as the user accepts it. But users don't read during login. They just click "next", "yes", "whatever you want", "yes you can have my kidney for free". That's why Rauthy is very strict and only allows pre-configured ones, so a client cannot just change its behavior without anyone really noticing. |
Beta Was this translation helpful? Give feedback.
I don't have an idea in what kind of situation such a client specific document would be necessary or even helpful, but if you have a valid use case and it makes sense, it could be added pretty easily I guess.
The generic config exists in this place to provide auto-lookups for all URLs usually. With a specific location, the auto-lookup would be impossible and you need to specifiy it manually again. So I guess you would even lose features.