[Openid-specs-ab] Issue #1013: Use of authority in discover (openid/connect)
tomcjones
issues-reply at bitbucket.org
Wed Apr 5 19:00:35 UTC 2017
New issue 1013: Use of authority in discover
https://bitbucket.org/openid/connect/issues/1013/use-of-authority-in-discover
tomcjones:
Section 2.1 of the discover document includes a port number on the authority based on the URI RFC (see below). Unfortunately this is not consistent as not scheme in wide use allows this behavior, and AFAICT there was no standard scheme in place that allowed it at the time. In general a URI MUST have a scheme. The real problem is that since the scheme mailto: does not allow a port number, it is not practically possible for a user at a computer to enter a user name that contains a port number. I strongly recommend that port numbers in authorities be removed since it is not possible in practice to discover the port number.
NOTE: Since the definition of authority in RFC 3986 [RFC3986] is [ userinfo "@" ] host [ ":" port ], it is legal to have a user input identifier like userinfo at host:port, e.g., alice at example.com:8080.
Responsible: Nat
More information about the Openid-specs-ab
mailing list