[Openid-specs-ab] Issue #1400: Issuer Handling in SIOP (openid/connect)

[tlodderstedt]

New issue 1400: Issuer Handling in SIOP
https://bitbucket.org/openid/connect/issues/1400/issuer-handling-in-siop

Torsten Lodderstedt:

The current revision of SIOP utilizes two ways to allow the RP to detect that an ID token was issued by a SIOP:

In case of static discovery, the static issuer URL “`https://self-issued.me/v2`“ is used for that purpose. In case of dynamic discovery, the `i_am_siop` claim is used to mark the ID token as self-issued \(since the `iss` value is the actual issuer URL used to discover the SIOP\). 

I think this is more complex than it needs to be and does not use the “iss” claim to identify the issuer of the ID token. OIDC Core defines `iss` as "Issuer Identifier for the Issuer of the response". That feels natural to me and I think we can use the same concept in SIOP as well. Who is the issuer of the ID token in that case? It is the user.

So I propose to set the `iss` claim to the value of the `sub` claim in the same ID token in order to mark an ID token as self-issued. That is also inline with the way X.509 handles self-signed certificates \(Subject and Issuer refer to the same DN\) and the W3C verifiable credentials data model handles the `iss` value for JWT-based VPs \([https://www.w3.org/TR/vc-data-model/#example-jwt-payload-of-a-jwt-based-verifiable-presentation-non-normative](https://www.w3.org/TR/vc-data-model/#example-jwt-payload-of-a-jwt-based-verifiable-presentation-non-normative)\). 

A RP would determine whether an ID token is self-issued by checking whether `sub` and `iss` contain the same value.