You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The name "Client Identifier Scheme" is misleading enough to make people believe it is valid as a URI scheme. Unless there is a strong reason to prefer underscores over hyphens, I believe it would be better to change them to redirect-uri, verifier-attestation, x509-san-dns, and x509-san-uri. This would also make it easier to parse client identifiers as URIs in many programming languages, simplifying the process of extracting client identifier schemes. For reference, I’ve attached experimental codes in Java and Ruby, and their result.
importjava.net.URI;
publicclassClientIdentifierSchemeTest
{
publicstaticvoidmain(String[] args)
{
// Client identifier examples from the OpenID4VP spec.String[] ids = newString[] {
"redirect_uri:https://client.example.org/cb",
"https://federation-verifier.example.com",
"did:example:123#1",
"verifier_attestation:verifier.example",
"x509_san_dns:client.example.org",
"x509_san_uri:https://client.example.org/cb",
"web-origin:https://verifier.example.com"
};
for (Stringid : ids)
{
System.out.format("%-45s %s URI%n", id, validity(id));
}
System.out.print("\n..... Replacing underscores with hyphens .....\n\n");
for (Stringid : ids)
{
// Replace underscores with hyphens.id = id.replaceAll("_", "-");
// Parse as a URI.URIuri = URI.create(id);
// Print the identifier and the scheme part.System.out.format("%-45s scheme=%s%n", id, uri.getScheme());
}
}
privatestaticStringvalidity(Stringstring)
{
try
{
// Parse the string as a URI.newURI(string);
// Valid URI.return"Valid";
}
catch (Exceptioncause)
{
// Invalid URI.return"Invalid";
}
}
}
#!/usr/bin/env rubyrequire'uri'defmain(args)# Client identifier examples from the OpenID4VP spec.ids=['redirect_uri:https://client.example.org/cb','https://federation-verifier.example.com','did:example:123#1','verifier_attestation:verifier.example','x509_san_dns:client.example.org','x509_san_uri:https://client.example.org/cb','web-origin:https://verifier.example.com']ids.eachdo |id|
printf("%-45s %s URI\n",id,validity(id))endprintf"\n..... Replacing underscores with hyphens .....\n\n"ids.eachdo |id|
# Replace underscores with hyphens.id=id.tr("_","-")# Parse as a URI.uri=URI.parse(id)# Print the identifier and the scheme part.printf("%-45s scheme=%s\n",id,uri.scheme)endenddefvalidity(string)begin# Parse the string as a URI.URI.parse(string)# Valid URI.return"Valid"rescue# Invalid URI.return"Invalid"endendmain(ARGV)
Result (Both programs output the same result):
redirect_uri:https://client.example.org/cb Invalid URI
https://federation-verifier.example.com Valid URI
did:example:123#1 Valid URI
verifier_attestation:verifier.example Invalid URI
x509_san_dns:client.example.org Invalid URI
x509_san_uri:https://client.example.org/cb Invalid URI
web-origin:https://verifier.example.com Valid URI
..... Replacing underscores with hyphens .....
redirect-uri:https://client.example.org/cb scheme=redirect-uri
https://federation-verifier.example.com scheme=https
did:example:123#1 scheme=did
verifier-attestation:verifier.example scheme=verifier-attestation
x509-san-dns:client.example.org scheme=x509-san-dns
x509-san-uri:https://client.example.org/cb scheme=x509-san-uri
web-origin:https://verifier.example.com scheme=web-origin
The text was updated successfully, but these errors were encountered:
Despite the name "Client Identifier Scheme" including the word "Scheme" and the use of a ":" as the prefix delimiter, these were never AFAIK intended to be URIs with valid or registered URI schemes.
I believe that it would be much less confusing/misleading to use a different character or short set of characters as the prefix delimiter and not give special treatment to Federation and DIDs.
type is another term and I don't have an alternative right away, but I would support renaming "Client Identifier Scheme" to "Client Identifier Type" or something, as a way to prevent confusion.
Among the client identifier schemes defined in "Section 5.10.4. Defined Client Identifier Schemes" of OpenID4VP,
redirect_uri
,verifier_attestation
,x509_san_dns
, andx509_san_uri
violate the scheme definition in "Section 3.1. Scheme" of "RFC 3986 Uniform Resource Identifier (URI): Generic Syntax". Simply put, scheme strings must not include underscores. Is the DCP WG aware of this?The name "Client Identifier Scheme" is misleading enough to make people believe it is valid as a URI scheme. Unless there is a strong reason to prefer underscores over hyphens, I believe it would be better to change them to
redirect-uri
,verifier-attestation
,x509-san-dns
, andx509-san-uri
. This would also make it easier to parse client identifiers as URIs in many programming languages, simplifying the process of extracting client identifier schemes. For reference, I’ve attached experimental codes in Java and Ruby, and their result.Result (Both programs output the same result):
The text was updated successfully, but these errors were encountered: