[Openid-specs-ab] key usage

Roland Hedberg roland.hedberg at adm.umu.se
Thu Aug 16 07:31:45 UTC 2012


I've just encountered this problem and I'm not sure we've decided how to
cope with it.

The example is with Edmund's OP but that is immaterial, I have the same
problem with other OPs.

When my RP gathers information about the OP, that information has an
issuer. In Edmund's case "https://connect.openid4.us/".

My RP then gathers the keys published by the OP and stores them as owned
by the issuer.

Later I get an ID Token from the OP with 'iss' defined as
'https://connect.openid4.us/abop' which is not the same as the 'owner'
of the OPs keys.

So, what to do ?

Am I supposed to do a leading substring match with the OP information
issuer or am I to check against the endpoints of the OP or is the
assumption that the issuer of the OP information should be the same as
the issuer of the ID Token ?

-- Roland

More information about the Openid-specs-ab mailing list