[Openid-specs-ab] Discovery text question

Mike Jones Michael.Jones at microsoft.com
Wed Dec 18 21:45:23 UTC 2013

I actually think it used to be talking about the fact that Simple Web Discovery had redirection return values.  Anyway, it could have been trying to talk about what you're discussing.  How about this for a replacement?

Note that since the host and resource values determined from the user input Identifier is used as input to a WebFinger request, which can return an Issuer value using a completely different domain, no relationship can be assumed between the user input Identifier string and the resulting Issuer location.

If this is what you're talking about wanting to say, where it is isn't the right place to say it, but I can figure out the right place to do so.

                                                            -- Mike

From: Nat Sakimura [mailto:sakimura at gmail.com]
Sent: Wednesday, December 18, 2013 1:04 PM
To: Mike Jones
Cc: openid-specs-ab at lists.openid.net; John Bradley
Subject: Re: [Openid-specs-ab] Discovery text question

I suspect this was written by John.

This sentence, while obscure, IMHO, is talking about the delegation use case.
Supppose I have used nat at sakimura.org<mailto:nat at sakimura.org> as a user identifier.
Since I use fullxri.com<http://fullxri.com> as my IdP, in the end, the issuer turns out to be fullxri.com<http://fullxri.com> which is different than sakimura.org<http://sakimura.org>.
The second sentence is talking about this, I think.

This is kind of a important usecase. While I use an obscure IdP such as fullxri, many corporations use Google Apps for domains for their IdP service in which case the final issuer is going to be google.com<http://google.com>.

So, while I am open to clarification, I object for the deletion.


2013/12/19 Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>>
http://openid.bitbucket.org/openid-connect-discovery-1_0.html#ProviderConfigurationValidation currently says:

The issuer value returned MUST be identical to the Issuer URL that was directly used to retrieve the configuration information. This MUST also be identical to the iss Claim value in ID Tokens issued from this Issuer. Since the discovery process allows for multiple levels of redirection, this Issuer URL MAY be different from the one originally used to begin the discovery process.

The intended meaning of the last sentence isn't clear to me. First, do people believe this sentence is still valid or should it be deleted?  Unless people come up with a clearer meaning and say why it needs to be retained, I'd suggest deletion.  Any objections, or do people want to suggest clearer wording?

                                                            -- Mike

Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>

Nat Sakimura (=nat)
Chairman, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131218/a5490e99/attachment-0001.html>

More information about the Openid-specs-ab mailing list