[Openid-specs-ab] Discovery text question

Nat Sakimura sakimura at gmail.com
Wed Dec 18 21:04:19 UTC 2013

I suspect this was written by John.

This sentence, while obscure, IMHO, is talking about the delegation use
Supppose I have used nat at sakimura.org as a user identifier.
Since I use fullxri.com as my IdP, in the end, the issuer turns out to be
fullxri.com which is different than sakimura.org.
The second sentence is talking about this, I think.

This is kind of a important usecase. While I use an obscure IdP such as
fullxri, many corporations use Google Apps for domains for their IdP
service in which case the final issuer is going to be google.com.

So, while I am open to clarification, I object for the deletion.


2013/12/19 Mike Jones <Michael.Jones at microsoft.com>

> http://openid.bitbucket.org/openid-connect-discovery-1_0.html#ProviderConfigurationValidationcurrently says:
> The issuer value returned MUST be identical to the Issuer URL that was
> directly used to retrieve the configuration information. This MUST also be
> identical to the iss Claim value in ID Tokens issued from this Issuer. Since
> the discovery process allows for multiple levels of redirection, this
> Issuer URL MAY be different from the one originally used to begin the
> discovery process.
> The intended meaning of the last sentence isn’t clear to me. First, do
> people believe this sentence is still valid or should it be deleted?
>  Unless people come up with a clearer meaning and say why it needs to be
> retained, I’d suggest deletion.  Any objections, or do people want to
> suggest clearer wording?
>                                                             -- Mike
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

Nat Sakimura (=nat)
Chairman, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131219/1e747d4c/attachment.html>

More information about the Openid-specs-ab mailing list