[Openid-specs-ab] Distinguishing between an OpenID Connect discovery document and a RFC 8414 one

William Denniss wdenniss at google.com
Fri Mar 29 20:25:36 UTC 2019


It occurred to me that RFC 8414 and OpenID Connect Discovery while being
functionally very close, define different REQUIRED metadata. Specifically
OpenID Connect is a superset of the REQUIRED metadata in RFC 8414,
adding jwks_uri, subject_types_supported,
and id_token_signing_alg_values_supported as required metadata fields.

As a client, if I want to support both specifications, and want to enforce
the presence of required metadata, is there a way to know from the document
itself whether a metadata document is following OpenID Connect Discovery
rather than RFC 8414 in order to enforce the additional required fields?

Direct links to the relevant sections:
https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
https://tools.ietf.org/html/rfc8414#section-2

Currently this client (AppAuth) will operate in "OpenID Connect" mode when
given a discovery doc with an issuer, and "OAuth 2.0" mode when not. One
possible resolution could be that the mode should no longer be inferred by
whether or not a discovery doc is supplied (now that OAuth also has
metadata), and rather that this should be an explicit choice by the
developer. Another resolution (which would be the simplest option) is that
since the client doesn't actually need those required fields for its own
operation, we can relax the rule and only validate RFC 8414 required fields.

William
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190329/11e1ab18/attachment.html>


More information about the Openid-specs-ab mailing list