[Openid-specs-ab] Issue #934: Migration - openid.realm description now bogus (openid/connect)

Nat Sakimura issues-reply at bitbucket.org
Fri Aug 8 01:14:56 UTC 2014


New issue 934: Migration - openid.realm description now bogus
https://bitbucket.org/openid/connect/issue/934/migration-openidrealm-description-now

Nat Sakimura:

It was using the key pair before, but now is just comparing iss. 
So, this text should also change. 

Currently:

If the authority section of Authorization Endpoint URI is different from the authority section of the OpenID 2.0 OP’s OP Endpoint URL, the ID Token returned from the authentication request MUST be signed using the OP’s private key. The OP's corresponding public key MUST be published through the OpenID 2.0 Identifier URL with application/jwk-set+json mime-type in response to a GET request with an Accept header set to application/jwk-set+json.

Change to: 

If the authority section of Authorization Endpoint URI is different from the authority section of the OpenID 2.0 OP’s OP Endpoint URL, the client MUST issue a GET request to it with an Accept header set to application/json to obtain the value of iss claim in it. The value of the iss claim obtained this way and the value of the iss claim in the ID Token MUST exactly match. 

Responsible: Nat


More information about the Openid-specs-ab mailing list