[Openid-specs-ab] Issue #1716: Clarify that Entity Statement paths include .well-known/openid-federation (openid/connect)

[mbj]

New issue 1716: Clarify that Entity Statement paths include .well-known/openid-federation
https://bitbucket.org/openid/connect/issues/1716/clarify-that-entity-statement-paths

Michael Jones:

Let's assume that the client\_id used with Automatic Registration is [http://example.com/](http://example.com/). The spec is currently ambiguous whether:

1. the OP retrieves the entity statement from [https://example.com/](https://example.com/)
2. the OP retrieves the entity statement from [https://example.com/.well-known/openid-federation](https://example.com/.well-known/openid-federation)

[https://openid.net/specs/openid-connect-federation-1\_0-24.html#name-automatic-registration](https://openid.net/specs/openid-connect-federation-1_0-24.html#name-automatic-registration) can be interpreted to support the former \(1\) when it says "In all interactions with the OP, the RP employs its Entity Identifier as the Client ID. The Entity Identifier is the URL from which the OP can fetch the RP's Entity Configuration using the process described in Section 6." 

[https://openid.net/specs/openid-connect-federation-1\_0-24.html#federation\_configuration](https://openid.net/specs/openid-connect-federation-1_0-24.html#federation_configuration) supports the latter \(2\) when it says "The Entity Configuration of every federation Entity SHOULD be exposed at a well-known endpoint. The configuration endpoint is found using the Well-Known URIs \[RFC8615\] specification, with the suffix openid-federation. The scheme, host, and port are taken directly from the Entity Identifier combined with the following path: /.well-known/openid-federation."

Consulting some of the other editors, \(2\) is intended.  We need to update spec to eliminate ambiguities that can lead readers to conclude \(1\).

Responsible: Michael Jones