From 76daaa1f34ea5eb80f88bdc9d65b8f26069b4b22 Mon Sep 17 00:00:00 2001 From: Emelia Smith Date: Mon, 29 Sep 2025 20:39:00 +0200 Subject: [PATCH] Restrict URI properties to absolute URIs using the https: scheme --- draft-parecki-oauth-client-id-metadata-document.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/draft-parecki-oauth-client-id-metadata-document.md b/draft-parecki-oauth-client-id-metadata-document.md index 9bab808..a3d2bbb 100644 --- a/draft-parecki-oauth-client-id-metadata-document.md +++ b/draft-parecki-oauth-client-id-metadata-document.md @@ -176,6 +176,8 @@ client metadata document: `client_secret_basic`, `client_secret_jwt`, or any other method based around a shared symmetric secret. * the `client_secret` and `client_secret_expires_at` properties MUST NOT be used +* the properties that refer to URIs, such as `client_uri` and `logo_uri`, MUST be absolute URIs +using the `https:` scheme, with the exception of the `redirect_uris` which MAY use custom schemes. See {{client_authentication}} for more details.