[Openid-specs-ab] Do we need to change the self issued provider scheme?
Michael.Jones at microsoft.com
Sat Mar 25 20:55:04 UTC 2017
My initial take on this is that given that OpenID Connect Core was finalized in 2014, before any of this new guidance was in place, it shouldn’t be affected, given there’s not an actual security issue at stake. The BCP is just that – best practices, not normative requirements – and the fact that a scheme was already in use before the guidance was drafted that doesn’t somehow make the use of that scheme invalid.
That said, I’d be glad to talk with people about it this week and hear other’s views.
From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Nat Sakimura via Openid-specs-ab
Sent: Wednesday, March 1, 2017 5:50 AM
To: specs-ab <specs-ab at openid.net>
Subject: [Openid-specs-ab] Do we need to change the self issued provider scheme?
https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07 is in the WGLC now, which I am really happy about.
There is one thning that impacts OpenID Connect. While the self-issued provider currently uses openid: as the scheme name,
7.1.1<https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07#section-7.1.1>. Custom URI Scheme Namespace Considerations
requires the reverse domain name: i.e., it sounds like we would have
to use net.openid instead. Should we do it as an errata/ammendment?
Chairman of the Board, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab