[OpenID] discovery url vs issuer
Paul Hethmon
paul.hethmon at clareitysecurity.com
Thu Jan 28 13:35:13 UTC 2016
John,
Thanks for the information.
> On Jan 27, 2016, at 9:29 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:
>
> I suspect that you are going to be better off with the interop testing list.
>
> Information on testing and subscribing to the list are at this link.
>
> http://osis.idcommons.net/wiki/OC5:OpenID_Connect_Interop_5
I will get signed up and involved there, hadn’t found that one.
>
> To answer the question, yes they must all match. The value of issuer is the uri before appending /.well-known/openid-configuration to the issuer per sec 4 of discovery.
There’s the section I missed. Section 4 is very clear.
>
> The value returned by the webfinger element with the rel member value of http://openid.net/specs/connect/1.0/issuer is the issuer identifier and not the location of the meta-data.
>
> That is in Sec 2 of Discovery.
>
> Perhaps in a future errata we might add a note to make that clearer in Sec 2.
A note with a pointer to see Sec 4 would be helpful.
>
> You are now going to ask why the whole string for the meta-data location is not used as the issuer.
>
> We did debate that at teh time and the answer is size.
Fair enough.
I’ve read (and written) enough specs to know better than to stop reading, but in the rush to get things out the door, there’s a tendency to stop reading once you believe you have the answer.
thanks,
Paul
-----
Paul Hethmon
Chief Software Architect
paul.hethmon at clareitysecurity.com
More information about the general
mailing list