fix(configuration): incorrect sector_identifier_uri validation (#7037)

This fixes a number of validation errors with the sector_identifier_uri for clients. For starters empty strings should be ignored, secondly a sector_identifier_uri must point to a JSON document on a secure protocol i.e. HTTPS but this was not reflected in the tests. We still need to add a check to ensure the JSON document is valid for the client (i.e. includes all of the registered redirect_uris).

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

1 files changed, 16 insertions, 6 deletions

diff --git a/docs/content/configuration/identity-providers/openid-connect/clients.md b/docs/content/configuration/identity-providers/openid-connect/clients.md
index 2545229b4..7898c3994 100644
--- a/docs/content/configuration/identity-providers/openid-connect/clients.md
+++ b/docs/content/configuration/identity-providers/openid-connect/clients.md
@@ -155,8 +155,18 @@ the specified client, changing this should cause the relying party to detect all
 users.*
 
 *__Important Note:__ This **must** either not be configured at all i.e. commented or completely absent from the
-configuration, or it must be an absolute HTTPS URL which contains a valid sector identifier JSON document. An empty
-string is not a valid configuration.*
+configuration, or it must be an absolute HTTPS URL which contains a valid sector identifier JSON document. Configuration
+of this option with the `https://` scheme per the requirements will cause Authelia to validate this JSON document.*
+
+A valid `sector_identifier_uri` will:
+  1. Have the scheme `https://`.
+  2. Be the absolute URI of a JSON document which:
+     1. Is a JSON array of strings (URIs).
+     2. Has every URI registered with this clients [redirect_uris](#redirect_uris) when compared using an exact string
+        match as defined in [OAuth 2.0 Security Best Current Practice Section 2.1].
+     3. May or may not have additional [redirect_uris](#redirect_uris) from other clients.
+
+[OAuth 2.0 Security Best Current Practice Section 2.1]: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-2.1
 
 Authelia utilizes UUID version 4 subject identifiers. By default the public [Subject Identifier Type] is utilized for
 all clients. This means the subject identifiers will be the same for all clients. This configuration option enables
@@ -166,10 +176,10 @@ the lookup of the subject identifier.
 1. All clients who do not have this configured will generate the same subject identifier for a particular user
    regardless of which client obtains the ID token.
 2. All clients which have the same sector identifier will:
-   1. have the same subject identifier for a particular user when compared to clients with the same sector identifier.
-   2. have a completely different subject identifier for a particular user whe compared to:
-      1. any client with the public subject identifier type.
-      2. any client with a differing sector identifier.
+   1. Have the same subject identifier for a particular user when compared to clients with the same sector identifier.
+   2. Have a completely different subject identifier for a particular user when compared to:
+      1. Any client with the public subject identifier type.
+      2. Any client with a differing `sector_identifier_uri`.
 
 In specific but limited scenarios this option is beneficial for privacy reasons. In particular this is useful when the
 party utilizing the *Authelia* [OpenID Connect 1.0] Authorization Server is foreign and not controlled by the user. It would