[Openid-specs-ab] Issuer issue
aanganes at mitre.org
Wed Aug 22 15:23:21 UTC 2012
How about (this replaces the entire text of section 3.3. The redirection
bit is important but is stated oddly in the original):
If the configuration response contains the issuer element, the value
MUST exactly match the issuer of the final configuration URL. For
example, if the issuer element is returned from the configuration at
value must be exactly "https://server.example.com/". If the original
request to a particular URL is redirected, the final issuer of the
configuration is based on the final URL in the redirection chain.
Or, perhaps "...MUST exactly match the _root_ of the configuration URL"?
Is the "issuer" of a URL commonly understood to have the definition
implied here (including John's comment about including a path)? It seems
like the term should be defined clearly somewhere in the document. There
are a lot of references to it with partial definitions, which a reader
could try to pull together to create a comprehensive definition, but it
seems better to just define it well up-front.
On 08/22/2012 10:11 AM, Justin Richer wrote:
> The "issuer" is the bit of the URL that's before the
> .well-known/openid-configuration, so
> "https://server.example.com/.well-known/openid-configuration" has an
> issuer of "https://server.example.com/" as the example states. If it
> could be worded more clearly (which I'm sure it could, because I think
> I wrote that paragraph), then please suggest better wording.
> -- Justin
> On 08/22/2012 02:55 AM, Roland Hedberg wrote:
>> Keeping tabs on issuer is important since it's coupled to which keys are
>> Everything starts with Section 3.3 in
>> "If the configuration response contains the issuer element, the value
>> MUST exactly match the issuer for the URL that was directly used to
>> retrieve the configuration."
>> I had a bit of a problem parsing this sentence but my interpretation is
>> that issuer is the location URL you find using SWD.
>> Using the example, if you get:
>> HTTP/1.1 200 OK
>> Content-Type: application/json
>> And then does a GET on
>> https://server.example.com/.well-known/openid-configuration then
>> issuer == "https://server.example.com"
>> issuer is *not* equal to the URL I used to get the configuration.
>> Right ?
>> -- Roland
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab