[Openid-specs-ab] Issue #934: Migration - openid.realm description now bogus (openid/connect)
issues-reply at bitbucket.org
Fri Aug 8 01:14:56 UTC 2014
New issue 934: Migration - openid.realm description now bogus
It was using the key pair before, but now is just comparing iss.
So, this text should also change.
If the authority section of Authorization Endpoint URI is different from the authority section of the OpenID 2.0 OP’s OP Endpoint URL, the ID Token returned from the authentication request MUST be signed using the OP’s private key. The OP's corresponding public key MUST be published through the OpenID 2.0 Identifier URL with application/jwk-set+json mime-type in response to a GET request with an Accept header set to application/jwk-set+json.
If the authority section of Authorization Endpoint URI is different from the authority section of the OpenID 2.0 OP’s OP Endpoint URL, the client MUST issue a GET request to it with an Accept header set to application/json to obtain the value of iss claim in it. The value of the iss claim obtained this way and the value of the iss claim in the ID Token MUST exactly match.
More information about the Openid-specs-ab