[Openid-specs-ab] Issue #1291: Allow arbitrary SIOPv2 issuers (e.g. no openid:// limitation) (openid/connect)
David Waite
issues-reply at bitbucket.org
Mon Aug 16 22:51:59 UTC 2021
New issue 1291: Allow arbitrary SIOPv2 issuers (e.g. no openid:// limitation)
https://bitbucket.org/openid/connect/issues/1291/allow-arbitrary-siopv2-issuers-eg-no
David Waite:
SIOPv1 was defined to use a fixed issuer URI and custom policy with that URI. There are three reasons we should consider expanding this now to arbitrary URI:
1. The advent of Universal Links, which would allow a HTTPS URI to invoke a local native application
2. More complex use cases involving scenario-specific metadata and independent trust frameworks. This creates the need for distinct issuers.
3. The addition of OpenID Connect Federation and Automatic Client Registration, eliminating the requirement for some previously mandated custom processing rules \(redirect\_uri as client\_id, inline registration metadata\)
With SIOPv2, the expectation would be that an issuer can be a ‘SIOP’ issuer \(representing any number of instances of native applications\) by omitting the \`jwks\_uri\`, which is a required parameter for non-SIOP issuers but makes little sense in SIOP. This would indicate that the id\_token signing key does not represent the issuer but the underlying subject.
More information about the Openid-specs-ab
mailing list