passing a Request Object by reference: use pattern matching in request_uri whitelisting

[zandbelt]

I'm trying to use an OpenID Connect feature that is called "passing a Request Object by reference" see https://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter which appears to be supported by Ory Hydra looking at the OAuth 2.0 client API. No other documentation seems to available though so I'm a bit in the dark here. I have tested Request Object by value successfully so far, but I'm stuck on "by reference" because of the strict matching that is applied to pre-registered "request_uris", see https://www.ory.sh/docs/hydra/reference/api#tag/oAuth2/operation/createOAuth2Client

There are use cases where request URIs are static and they can be known and registered in advance, which would work with Ory Hydra, e.g. where the signed parameters only include (relatively) static values like "scope", "redirect_uri", "client_id" etc.

However, In my case - and I believe typically - the "request_uri" would include a dynamic component that refers to a temporarily stored/cached request object that contains for example "nonce" or "state" values that are generated on a per-request basis and cannot be known in advance. The example in the spec contains a URL fragment value of such nature, see https://openid.net/specs/openid-connect-core-1_0.html#CreateRequestUri

In the latter case passing a Request Object by reference cannot be used with Ory Hydra because of the strict matching to the pre-registered set of Request URIs that Ory Hydra applies.

Hence my question is, firstly, if this is intended behaviour, and secondly, if it can be changed to apply pattern matching to the Request URIs. Wildcard matching ("*") at the end of the registered value seems to be what other Provider use by default.

[vinckr]

Hello @zandbelt

Ory Hydra does indeed support the use of the request_uri parameter in OpenID Connect requests. This parameter is used to pass a Request Object by reference, as you've mentioned.
But Ory Hydra requires any request_uri values used to be pre-registered using the request_uris registration parameter. This suggests that Ory Hydra does apply strict matching to the pre-registered set of Request URIs.

As for your question on whether this is intended behavior, I don't know.
However, given that this requirement is explicitly mentioned in the API documentation, I think this is indeed the intended behavior.

Regarding your second question on whether it can be changed to apply pattern matching to the Request URIs, that is possible as far as I can tell but requires either a PR to add this to Hydra or some custom code.