[Openid-specs-ab] Issue #858: Messages iss clarification (openid/connect)

John Bradley issues-reply at bitbucket.org
Tue Jul 2 01:23:57 UTC 2013

New issue 858: Messages iss clarification

John Bradley:

iss may need clarification that it is a https: scheme URI in sec

One or more interop participants are using host names as issuer without a scheme

This is clear in discovery.

In Messages the definition of issuer identifier
Verifiable identifier for an Issuer. An Issuer Identifier is a URL using the https scheme that contains scheme, host, and OPTIONALLY, port number and path components. (No query or fragment components MAY be present.)

Also Sec 9.14

OpenID Connect supports multiple issuers per Host and Port combination. The issuer returned by discovery MUST exactly match the value of iss in the ID Token. 

OpenID Connect treats the path component of any URI as part of the user identifier. For instance, the subject "1234" with an issuer of "https://example.com" is not equivalent to the subject "1234" with an issuer of "https://example.com/sales".

More information about the Openid-specs-ab mailing list