[Openid-specs-ab] Issuer issue

John Bradley ve7jtb at ve7jtb.com
Wed Aug 22 15:15:25 UTC 2012


And "https://server.example.com/customer1/.well-known/openid-configuration"   has a issuer of "https://server.example.com/customer1"

Adding the path probably needs some examples.

The idea was that it is equal to the URL before appending the /.well-known/openid-configuration.   That is to save space in the JWT.

John
On 2012-08-22, at 10:11 AM, Justin Richer <jricher at mitre.org> wrote:

> The "issuer" is the bit of the URL that's before the .well-known/openid-configuration, so "https://server.example.com/.well-known/openid-configuration" has an issuer of "https://server.example.com/" as the example states. If it could be worded more clearly (which I'm sure it could, because I think I wrote that paragraph), then please suggest better wording.
> 
> -- Justin
> 
> On 08/22/2012 02:55 AM, Roland Hedberg wrote:
>> Hi!
>> 
>> Keeping tabs on issuer is important since it's coupled to which keys are
>> used.
>> 
>> Everything starts with Section 3.3 in
>> http://openid.net/specs/openid-connect-discovery-1_0.html
>> 
>> "If the configuration response contains the issuer element, the value
>> MUST exactly match the issuer for the URL that was directly used to
>> retrieve the configuration."
>> 
>> I had a bit of a problem parsing this sentence but my interpretation is
>> that issuer is the location URL you find using SWD.
>> 
>> Using the example, if you get:
>> 
>> HTTP/1.1 200 OK
>> Content-Type: application/json
>> 
>> {
>>  "locations":["https://server.example.com"]
>> }
>> 
>> And then does a GET on
>> https://server.example.com/.well-known/openid-configuration then
>> 
>> issuer == "https://server.example.com"
>> 
>> issuer is *not* equal to the URL I used to get the configuration.
>> 
>> Right ?
>> 
>> -- Roland
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4937 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120822/9ba81b1a/attachment-0001.p7s>


More information about the Openid-specs-ab mailing list