[Openid-specs-ab] Issue #876: Google "iss" value missing https:// (openid/connect)
issues-reply at bitbucket.org
Thu Sep 26 01:45:47 UTC 2013
New issue 876: Google "iss" value missing https://
Google uses the string "accounts.google.com" as its "iss" claim value in ID Tokens, even though the spec requires it to be a URL using the https scheme. This difference from the spec wasn't caught early in their implementation and now it would be hard to change.
At a minimum, we probably need to add a note to implementers saying that they'll need to allow this as a special case to interop with Google. We should also probably say that omitting the https:// should not be allowed in the general case.
More information about the Openid-specs-ab