[Openid-specs-ab] Do we need to change the self issued provider scheme?

Mike Jones Michael.Jones at microsoft.com
Sat Mar 25 20:55:04 UTC 2017

My initial take on this is that given that OpenID Connect Core was finalized in 2014, before any of this new guidance was in place, it shouldn’t be affected, given there’s not an actual security issue at stake.  The BCP is just that – best practices, not normative requirements – and the fact that a scheme was already in use before the guidance was drafted that doesn’t somehow make the use of that scheme invalid.

That said, I’d be glad to talk with people about it this week and hear other’s views.

                                                       -- Mike

From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Nat Sakimura via Openid-specs-ab
Sent: Wednesday, March 1, 2017 5:50 AM
To: specs-ab <specs-ab at openid.net>
Subject: [Openid-specs-ab] Do we need to change the self issued provider scheme?


https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07 is in the WGLC now, which I am really happy about.

There is one thning that impacts OpenID Connect. While the self-issued provider currently uses openid: as the scheme name,

7.1.1<https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07#section-7.1.1>.  Custom URI Scheme Namespace Considerations

requires the reverse domain name: i.e., it sounds like we would have
to use net.openid instead. Should we do it as an errata/ammendment?



Nat Sakimura

Chairman of the Board, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170325/55932173/attachment.html>

More information about the Openid-specs-ab mailing list