Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Client Identifier Schemes violate RFC 3986 #376

Open
TakahikoKawasaki opened this issue Dec 26, 2024 · 3 comments
Open

Client Identifier Schemes violate RFC 3986 #376

TakahikoKawasaki opened this issue Dec 26, 2024 · 3 comments

Comments

@TakahikoKawasaki
Copy link

Among the client identifier schemes defined in "Section 5.10.4. Defined Client Identifier Schemes" of OpenID4VP, redirect_uri, verifier_attestation, x509_san_dns, and x509_san_uri violate the scheme definition in "Section 3.1. Scheme" of "RFC 3986 Uniform Resource Identifier (URI): Generic Syntax". Simply put, scheme strings must not include underscores. Is the DCP WG aware of this?

The name "Client Identifier Scheme" is misleading enough to make people believe it is valid as a URI scheme. Unless there is a strong reason to prefer underscores over hyphens, I believe it would be better to change them to redirect-uri, verifier-attestation, x509-san-dns, and x509-san-uri. This would also make it easier to parse client identifiers as URIs in many programming languages, simplifying the process of extracting client identifier schemes. For reference, I’ve attached experimental codes in Java and Ruby, and their result.

import java.net.URI;

public class ClientIdentifierSchemeTest
{
    public static void main(String[] args)
    {
        // Client identifier examples from the OpenID4VP spec.
        String[] ids = new String[] {
            "redirect_uri:https://client.example.org/cb",
            "https://federation-verifier.example.com",
            "did:example:123#1",
            "verifier_attestation:verifier.example",
            "x509_san_dns:client.example.org",
            "x509_san_uri:https://client.example.org/cb",
            "web-origin:https://verifier.example.com"
        };

        for (String id : ids)
        {
            System.out.format("%-45s %s URI%n", id, validity(id));
        }

        System.out.print("\n..... Replacing underscores with hyphens .....\n\n");

        for (String id : ids)
        {
            // Replace underscores with hyphens.
            id = id.replaceAll("_", "-");

            // Parse as a URI.
            URI uri = URI.create(id);

            // Print the identifier and the scheme part.
            System.out.format("%-45s scheme=%s%n", id, uri.getScheme());
        }
    }

    private static String validity(String string)
    {
        try
        {
            // Parse the string as a URI.
            new URI(string);

            // Valid URI.
            return "Valid";
        }
        catch (Exception cause)
        {
            // Invalid URI.
            return "Invalid";
        }
    }
}
#!/usr/bin/env ruby

require 'uri'

def main(args)
  # Client identifier examples from the OpenID4VP spec.
  ids = [
    'redirect_uri:https://client.example.org/cb',
    'https://federation-verifier.example.com',
    'did:example:123#1',
    'verifier_attestation:verifier.example',
    'x509_san_dns:client.example.org',
    'x509_san_uri:https://client.example.org/cb',
    'web-origin:https://verifier.example.com'
  ]

  ids.each do |id|
    printf("%-45s %s URI\n", id, validity(id))
  end

  printf "\n..... Replacing underscores with hyphens .....\n\n"

  ids.each do |id|
    # Replace underscores with hyphens.
    id = id.tr("_", "-")

    # Parse as a URI.
    uri = URI.parse(id)

    # Print the identifier and the scheme part.
    printf("%-45s scheme=%s\n", id, uri.scheme)
  end
end

def validity(string)
  begin
    # Parse the string as a URI.
    URI.parse(string)

    # Valid URI.
    return "Valid"
  rescue
    # Invalid URI.
    return "Invalid"
  end
end

main(ARGV)

Result (Both programs output the same result):

redirect_uri:https://client.example.org/cb    Invalid URI
https://federation-verifier.example.com       Valid URI
did:example:123#1                             Valid URI
verifier_attestation:verifier.example         Invalid URI
x509_san_dns:client.example.org               Invalid URI
x509_san_uri:https://client.example.org/cb    Invalid URI
web-origin:https://verifier.example.com       Valid URI

..... Replacing underscores with hyphens .....

redirect-uri:https://client.example.org/cb    scheme=redirect-uri
https://federation-verifier.example.com       scheme=https
did:example:123#1                             scheme=did
verifier-attestation:verifier.example         scheme=verifier-attestation
x509-san-dns:client.example.org               scheme=x509-san-dns
x509-san-uri:https://client.example.org/cb    scheme=x509-san-uri
web-origin:https://verifier.example.com       scheme=web-origin
@bc-pi
Copy link
Member

bc-pi commented Jan 7, 2025

Despite the name "Client Identifier Scheme" including the word "Scheme" and the use of a ":" as the prefix delimiter, these were never AFAIK intended to be URIs with valid or registered URI schemes.

I believe that it would be much less confusing/misleading to use a different character or short set of characters as the prefix delimiter and not give special treatment to Federation and DIDs.

@ThisIsMissEm
Copy link

The conversation yesterday did also mention renaming schemes to types to avoid confusion with URI schemes

@Sakurann
Copy link
Collaborator

type is another term and I don't have an alternative right away, but I would support renaming "Client Identifier Scheme" to "Client Identifier Type" or something, as a way to prevent confusion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants