[OpenID] discovery url vs issuer

Paul Hethmon paul.hethmon at clareitysecurity.com
Wed Jan 27 22:38:26 UTC 2016 

First, I haven’t seen any traffic from this list since joining a month ago, so if I’m off topic, please let me know.

I am beginning conformance testing and seeing an unexpected error from the conformance tool. My setup is that my issuer has a value like:

	https://idp.clareitystore.net/idp/shibboleth

I’ve got my metadata at this URL:

	https://idp.clareitystore.net/idp/openid/configuration

With support for appending the value “.well-known/openid-configuration”. That returns a metadata document with my issuer value as above.

Testing gives me:

0.000465 ------------ DiscoveryRequest ------------
0.000496 Provider info discover from 'https://idp.clareitystore.net/idp/openid/configuration'
0.000503 --> URL: https://idp.clareitystore.net/idp/openid/configuration/.well-known/openid-configuration
0.161675 [ERROR] IssuerMismatch:'https://idp.clareitystore.net/idp/openid/configuration' != 'https://idp.clareitystore.net/idp/shibboleth'

So it’s obvious the tool is requiring the issuer value to be where the discovery request goes to and that it match.

Where in the spec does it say that? I’m not finding it. In the OpenID Connect Discovery 1.0 (errata set 1), section 3 says:

issuer
REQUIRED. URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. If Issuer discovery is supported (seeSection 2), this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.

Is that where the match comes from? If I do Discovery, then the WebFinger value MUST match? Since that value is the location of the metadata, then that now means that my Issuer value must be the actual URL for Discovery.

From a legacy perspective, it would be better for me to not have the issuer be the URL for the Discovery metadata location, but it if must match in that way, then either I have to change a lot of identifiers or drop Discovery.

thanks,

Paul

-----
Paul Hethmon
Chief Software Architect
paul.hethmon at clareitysecurity.com

More information about the general mailing list