[Openid-specs-ab] Issuer issue

Roland Hedberg roland.hedberg at adm.umu.se
Wed Aug 22 06:55:53 UTC 2012


Hi!

Keeping tabs on issuer is important since it's coupled to which keys are
used.

Everything starts with Section 3.3 in
http://openid.net/specs/openid-connect-discovery-1_0.html

"If the configuration response contains the issuer element, the value
MUST exactly match the issuer for the URL that was directly used to
retrieve the configuration."

I had a bit of a problem parsing this sentence but my interpretation is
that issuer is the location URL you find using SWD.

Using the example, if you get:

HTTP/1.1 200 OK
Content-Type: application/json

{
 "locations":["https://server.example.com"]
}

And then does a GET on
https://server.example.com/.well-known/openid-configuration then

issuer == "https://server.example.com"

issuer is *not* equal to the URL I used to get the configuration.

Right ?

-- Roland


More information about the Openid-specs-ab mailing list