[Openid-specs-ab] Issuer issue

Roland Hedberg roland.hedberg at adm.umu.se
Wed Aug 22 06:55:53 UTC 2012


Keeping tabs on issuer is important since it's coupled to which keys are

Everything starts with Section 3.3 in

"If the configuration response contains the issuer element, the value
MUST exactly match the issuer for the URL that was directly used to
retrieve the configuration."

I had a bit of a problem parsing this sentence but my interpretation is
that issuer is the location URL you find using SWD.

Using the example, if you get:

HTTP/1.1 200 OK
Content-Type: application/json


And then does a GET on
https://server.example.com/.well-known/openid-configuration then

issuer == "https://server.example.com"

issuer is *not* equal to the URL I used to get the configuration.

Right ?

-- Roland

More information about the Openid-specs-ab mailing list