[Openid-specs-ab] Issuer issue

Justin Richer jricher at mitre.org
Wed Aug 22 14:11:46 UTC 2012


The "issuer" is the bit of the URL that's before the 
.well-known/openid-configuration, so 
"https://server.example.com/.well-known/openid-configuration" has an 
issuer of "https://server.example.com/" as the example states. If it 
could be worded more clearly (which I'm sure it could, because I think I 
wrote that paragraph), then please suggest better wording.

  -- Justin

On 08/22/2012 02:55 AM, Roland Hedberg wrote:
> Hi!
>
> Keeping tabs on issuer is important since it's coupled to which keys are
> used.
>
> Everything starts with Section 3.3 in
> http://openid.net/specs/openid-connect-discovery-1_0.html
>
> "If the configuration response contains the issuer element, the value
> MUST exactly match the issuer for the URL that was directly used to
> retrieve the configuration."
>
> I had a bit of a problem parsing this sentence but my interpretation is
> that issuer is the location URL you find using SWD.
>
> Using the example, if you get:
>
> HTTP/1.1 200 OK
> Content-Type: application/json
>
> {
>   "locations":["https://server.example.com"]
> }
>
> And then does a GET on
> https://server.example.com/.well-known/openid-configuration then
>
> issuer == "https://server.example.com"
>
> issuer is *not* equal to the URL I used to get the configuration.
>
> Right ?
>
> -- Roland
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab



More information about the Openid-specs-ab mailing list