Client Identifier Schemes violate RFC 3986

[TakahikoKawasaki]

Among the client identifier schemes defined in "Section 5.10.4. Defined Client Identifier Schemes" of OpenID4VP, redirect_uri, verifier_attestation, x509_san_dns, and x509_san_uri violate the scheme definition in "Section 3.1. Scheme" of "RFC 3986 Uniform Resource Identifier (URI): Generic Syntax". Simply put, scheme strings must not include underscores. Is the DCP WG aware of this?

The name "Client Identifier Scheme" is misleading enough to make people believe it is valid as a URI scheme. Unless there is a strong reason to prefer underscores over hyphens, I believe it would be better to change them to redirect-uri, verifier-attestation, x509-san-dns, and x509-san-uri. This would also make it easier to parse client identifiers as URIs in many programming languages, simplifying the process of extracting client identifier schemes. For reference, I’ve attached experimental codes in Java and Ruby, and their result.

import java.net.URI;

public class ClientIdentifierSchemeTest
{
    public static void main(String[] args)
    {
        // Client identifier examples from the OpenID4VP spec.
        String[] ids = new String[] {
            "redirect_uri:https://client.example.org/cb",
            "https://federation-verifier.example.com",
            "did:example:123#1",
            "verifier_attestation:verifier.example",
            "x509_san_dns:client.example.org",
            "x509_san_uri:https://client.example.org/cb",
            "web-origin:https://verifier.example.com"
        };

        for (String id : ids)
        {
            System.out.format("%-45s %s URI%n", id, validity(id));
        }

        System.out.print("\n..... Replacing underscores with hyphens .....\n\n");

        for (String id : ids)
        {
            // Replace underscores with hyphens.
            id = id.replaceAll("_", "-");

            // Parse as a URI.
            URI uri = URI.create(id);

            // Print the identifier and the scheme part.
            System.out.format("%-45s scheme=%s%n", id, uri.getScheme());
        }
    }

    private static String validity(String string)
    {
        try
        {
            // Parse the string as a URI.
            new URI(string);

            // Valid URI.
            return "Valid";
        }
        catch (Exception cause)
        {
            // Invalid URI.
            return "Invalid";
        }
    }
}

#!/usr/bin/env ruby

require 'uri'

def main(args)
  # Client identifier examples from the OpenID4VP spec.
  ids = [
    'redirect_uri:https://client.example.org/cb',
    'https://federation-verifier.example.com',
    'did:example:123#1',
    'verifier_attestation:verifier.example',
    'x509_san_dns:client.example.org',
    'x509_san_uri:https://client.example.org/cb',
    'web-origin:https://verifier.example.com'
  ]

  ids.each do |id|
    printf("%-45s %s URI\n", id, validity(id))
  end

  printf "\n..... Replacing underscores with hyphens .....\n\n"

  ids.each do |id|
    # Replace underscores with hyphens.
    id = id.tr("_", "-")

    # Parse as a URI.
    uri = URI.parse(id)

    # Print the identifier and the scheme part.
    printf("%-45s scheme=%s\n", id, uri.scheme)
  end
end

def validity(string)
  begin
    # Parse the string as a URI.
    URI.parse(string)

    # Valid URI.
    return "Valid"
  rescue
    # Invalid URI.
    return "Invalid"
  end
end

main(ARGV)

Result (Both programs output the same result):

redirect_uri:https://client.example.org/cb    Invalid URI
https://federation-verifier.example.com       Valid URI
did:example:123#1                             Valid URI
verifier_attestation:verifier.example         Invalid URI
x509_san_dns:client.example.org               Invalid URI
x509_san_uri:https://client.example.org/cb    Invalid URI
web-origin:https://verifier.example.com       Valid URI

..... Replacing underscores with hyphens .....

redirect-uri:https://client.example.org/cb    scheme=redirect-uri
https://federation-verifier.example.com       scheme=https
did:example:123#1                             scheme=did
verifier-attestation:verifier.example         scheme=verifier-attestation
x509-san-dns:client.example.org               scheme=x509-san-dns
x509-san-uri:https://client.example.org/cb    scheme=x509-san-uri
web-origin:https://verifier.example.com       scheme=web-origin

[bc-pi]

Despite the name "Client Identifier Scheme" including the word "Scheme" and the use of a ":" as the prefix delimiter, these were never AFAIK intended to be URIs with valid or registered URI schemes.

I believe that it would be much less confusing/misleading to use a different character or short set of characters as the prefix delimiter and not give special treatment to Federation and DIDs.

[ThisIsMissEm]

The conversation yesterday did also mention renaming schemes to types to avoid confusion with URI schemes

[Sakurann]

type is another term and I don't have an alternative right away, but I would support renaming "Client Identifier Scheme" to "Client Identifier Type" or something, as a way to prevent confusion.

[bc-pi]

There has been discussion of using scheme vs. type vs. some synonym-ish thereof. But again I believe much of the confusion would be avoided by the use of a different character or short set of characters as the prefix delimiter and not giving special treatment to Federation and DIDs.

[c2bo]

The current mix of underscore and dashes definitely seems weird. We should try to at least align the client id schemes (or however we call them) at that point.

[bc-pi]

Please see #401