[Openid-specs-ab] Issue #876: Google "iss" value missing https:// (openid/connect)

Michael Jones issues-reply at bitbucket.org
Thu Sep 26 01:45:47 UTC 2013

New issue 876: Google "iss" value missing https://

Michael Jones:

Google uses the string "accounts.google.com" as its "iss" claim value in ID Tokens, even though the spec requires it to be a URL using the https scheme.  This difference from the spec wasn't caught early in their implementation and now it would be hard to change.

At a minimum, we probably need to add a note to implementers saying that they'll need to allow this as a special case to interop with Google.  We should also probably say that omitting the https:// should not be allowed in the general case.

More information about the Openid-specs-ab mailing list