[Openid-specs-ab] unicode host names, issuer, and URLs in the discovery document
Brock Allen
brockallen at gmail.com
Mon Apr 2 00:56:57 UTC 2018
A question came up recently in our implementation of IdentityServer around unicode host names and punycode encoding of those host names. I looked thru the discovery spec and couldn't parse it well enough to know the answer to my question, so I thought I'd ask here.
Should the issuer in the discovery document be punycode for host names with unicode characters? The issuer is a URI but, AFAICT, the URI spec says that encoding is context-dependent. So in URLs unicode host names need to be punycode, but in a JSON document (either in discovery or a JWT) they don't seem like they need to be.
Should the URLs in the document document (e.g. authorize and token endpoints) be punycode for host names with unicode characters? From what I've seen client/RP libraries don't do well with non-punycode URLs from discovery (meaning they don't encode them before trying to use them). But often pen-testers dislike the URLs not matching the original authority URL. Maybe this last point is pedantic.
It'd be best if there were simply a directive in the spec that simply tells me which way to do it, but in the absence of that, any insight would be appreciated.
Thanks.
-Brock
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180401/30d153d3/attachment.html>
More information about the Openid-specs-ab
mailing list