[Openid-specs-ab] Issue #958: Migration - (te) Update verification rule for XRI (openid/connect)
Nat Sakimura
issues-reply at bitbucket.org
Thu Sep 4 04:00:40 UTC 2014
New issue 958: Migration - (te) Update verification rule for XRI
https://bitbucket.org/openid/connect/issue/958/migration-te-update-verification-rule-for
Nat Sakimura:
(Just recording ML discussion here for the record so that I can resolve with a commit.)
Forwarding service is a service that XRI providers needs to implement.
You can create a node under your XRI to point to another location.
For example, I can define
=nat/(+contact)
to forward it to a contact page of my choice.
Similarly, I could create
=nat/(+openid_iss)
and map it to any page.
For example, if my OpenID Connect issuer is https://example.com/
then I can define =nat/(+openid_iss) to map to https://example.com/.
It works this way.
1) The client sends request to https://xri.net/=nat/(+openid_iss).
2) The host xri.net responds with 302 redirect to for example,
http://forwarding.fullxri.com/forwading/=nat/(+openid_iss)
3) The client send request to it.
4) The host replies with 302 redirect to
https://example.com/
5) The client requests https://example.com/.
6) The page returns 200 OK so the redirection sequence terminates here.
7) Now the client has found that https://example.com/ is the
authoritative OpenID Connect issuer.
8) Match it to the value of "iss" in the ID Token.
This should work with any XRI provider without xri.net doing something.
Thoughts?
Responsible: Nat
More information about the Openid-specs-ab
mailing list