[Openid-specs-ab] Issue #1208: SIOP V2 dynamic iss claim ref: REQUIRED. Issuer. MUST be https://self-issued.me/v2 (openid/connect)
Adam Lemmon
issues-reply at bitbucket.org
Wed Feb 17 00:55:42 UTC 2021
New issue 1208: SIOP V2 dynamic iss claim ref: REQUIRED. Issuer. MUST be https://self-issued.me/v2
https://bitbucket.org/openid/connect/issues/1208/siop-v2-dynamic-iss-claim-ref-required
Adam Lemmon:
Hi all,
We have had some good discussions on this during past calls and I wanted to formally get this down somewhere to kick off a discussion and aim to reach consensus on the use of the `iss` claim in SIOP v2.
We would like to discuss the option of enabling other URIs to be included as the `iss` claim and it not be constrained to s[elf-issued.me/v2.](http://self-issued.me/v2)
For example being able to specify a URL of a PWA / cloud wallet provider as the `iss` , which can prove useful information for an RP that is being presented claims from such. We’d like a model that does not presume a specific deployment architecture of a wallet but is inclusive; native, PWA, cloud, etc.
Also, we had previously mentioned that the presence of a `sub_jwk` could be the signal to the RP that the token is self signed instead of the `iss` claim being constrained to s[elf-issued.me/v2](http://self-issued.me/v2), as one option to consider.
Look forward to the discussion on this topic, thanks!
More information about the Openid-specs-ab
mailing list