diff --git a/draft-parecki-oauth-client-id-metadata-document.md b/draft-parecki-oauth-client-id-metadata-document.md index b7d8956..f3c9861 100644 --- a/draft-parecki-oauth-client-id-metadata-document.md +++ b/draft-parecki-oauth-client-id-metadata-document.md @@ -271,6 +271,12 @@ Authorization servers fetching the client metadata document and resolving URLs l Authorization servers SHOULD limit the response size when fetching the client metadata document, as to avoid denial of service attacks against the authorization server by consuming excessive resources (memory, disk, database). The recommended maximum response size for client metadata documents is 5 kilobytes. +## Displaying Logos to End-Users + +Authorization servers that wish to make use of the `logo_uri` property within client metadata document SHOULD prefetch the file at `logo_uri` and cache it for the cache duration of the client metadata document. This allows for moderation tools to verify the file contents (e.g., preventing usage of logos that look like other logos), as well as preventing the logo from being dynamically changed to confuse an end-user. + +Caching of the `logo_uri` response can additionally prevent cross-domain tracking through the `logo_uri` being requested by the client, since the cached file would be served not from the remote URI but instead from a URI that the Authorization server trusts. + # IANA Considerations ## OAuth Authorization Server Metadata Registry @@ -301,7 +307,8 @@ The authors would like to thank the following people for their contributions and -02 -* Removed acceptance of query string parameters in Client ID Metadata Document URLs, since this encourages bad security practices (e.g., minting documents based on query string parameters) +* Added security consideration around displaying logos to end users +* Changed query string parameters in Client ID Metadata Document URLs to "SHOULD NOT", since this encourages bad security practices (e.g., minting documents based on query string parameters) * Added prohibition on the `client_secret_expires_at` property, as it is not relevant for Client ID Metadata Documents. * Added security consideration for development use-cases.