[Openid-specs-ab] key usage

Roland Hedberg roland.hedberg at adm.umu.se
Thu Aug 16 07:54:46 UTC 2012

OK, so I can answer my own question :-/

According to http://openid.net/specs/openid-connect-messages-1_0.html
section 5.2 bullet point 6 :

For other Signing algorithms, the Client must use the signing key
provided in Discovery by the Issuer. The issuer must exactly match the
value of the iss (issuer) Claim.

I guess other refers to other then HMAC.

Room for a new test case

-- Roland

Roland Hedberg skrev 2012-08-16 09:31:
> Hi!
> I've just encountered this problem and I'm not sure we've decided how to
> cope with it.
> The example is with Edmund's OP but that is immaterial, I have the same
> problem with other OPs.
> When my RP gathers information about the OP, that information has an
> issuer. In Edmund's case "https://connect.openid4.us/".
> My RP then gathers the keys published by the OP and stores them as owned
> by the issuer.
> Later I get an ID Token from the OP with 'iss' defined as
> 'https://connect.openid4.us/abop' which is not the same as the 'owner'
> of the OPs keys.
> So, what to do ?
> Am I supposed to do a leading substring match with the OP information
> issuer or am I to check against the endpoints of the OP or is the
> assumption that the issuer of the OP information should be the same as
> the issuer of the ID Token ?
> -- Roland
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list