[Openid-specs-ab] Determining OP Issuer

Tim Bray tbray at textuality.com
Thu Apr 4 00:19:56 UTC 2013

I’m looking at http://openid.net/specs/openid-connect-discovery-1_0.html

and in section 4.1 it says “The Client would make the following request to
the Issuer to get the Configuration information” where the Issuer is
discovered using WebFinger as described in Section 2.

I’m wondering if it might also make sense to determine the issuer by
reading it out of the ID Token you just received.  The “iss” claim is
required, after all.

Once again, I’m suffering from having missed the first seven eighths of
this discussion.  I’m looking for a deterministic way for an RP to validate
an ID Token.  If I read Section 2 correctly, the recommended way to do this
is to start with the email address and figure out the issuer from that
using WebFinger.

We’re using ID Tokens as unsolicited assertions that this we’ve
authenticated a person, identified inside the token, by sub/email. If I
want to be convinced that the issuer really asserted that the sub is
authenticated, must I go sideways through WebFinger, couldn't I just go get
the /.well-known/openid-configuration from the issuer, fetch the keys, and
do it that way?  -T
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130403/e238c63f/attachment.html>

More information about the Openid-specs-ab mailing list