[Openid-specs-ab] SIOP Special Topic Call Notes 29-Sep-22

Andrii Deinega andrii.deinega at gmail.com
Fri Sep 30 04:34:07 UTC 2022 

Joseph,

I always thought that 3xx responses bring a lot of uncertainty in this
particular case... so, that's why they aren't allowed. I have nothing
against them in general though :)

If a client gets a redirect from
https://op.example1.org/.well-known/openid-configuration to
https://op.example2.org/.well-known/openid-configuration then what
should be an acceptable issuer (iss) in an ID Token?

Pretty much the same applies to JWT ATs and OAuth 2.0 Authorization
Server Metadata (RFC 8414).

Then, if 3** responses are allowed then what do we do with a bunch of
other endpoints, say the JWKs or revocation endpoints... yes, for the
latter one, HTTP POST requests are also supposed to follow redirects
and resend the data.

Yet another thing here is how to deal with redirect loops if we want
to design and build resilient apps/clients.

Lastly, if we aren't lucky enough in the way that our client is silent
about HTTP redirects then we can spend forever trying to understand
why at some point it wasn't able to reach some host we weren't even
aware of.

Just shared my thoughts on this matter.

Regards,
Andrii

On Thu, Sep 29, 2022 at 3:38 PM Joseph Heenan via Openid-specs-ab
<openid-specs-ab at lists.openid.net> wrote:
>
> Hi all
>
> Apologies as I missed today’s call as I was at the OIX conference, but this bit was a slight surprise to me:
>
> On 29 Sep 2022, at 18:47, Mike Jones via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
>
>                            George said that redirections for .well-known URLs are allowed, such as from aol.com/.well-known/openid-configuration to another URL
>
>
>
> https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse says:
>
> "A successful response MUST use the 200 OK HTTP status code”
>
> To me, this precludes returning a 3xx response (and that is how the conformance suite interprets that clause currently).
>
> If a redirect is allowed, this might be worth clarifying in an errata.
>
> Thanks
>
> Joseph
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list