[Openid-specs-ab] Issuer issue

Amanda Anganes aanganes at mitre.org
Wed Aug 22 15:23:21 UTC 2012


How about (this replaces the entire text of section 3.3. The redirection 
bit is important but is stated oddly in the original):

    If the configuration response contains the issuer element, the value
    MUST exactly match the issuer of the final configuration URL. For
    example, if the issuer element is returned from the configuration at
    "https://server.example.com/.well-known/openid-configuration", its
    value must be exactly "https://server.example.com/". If the original
    request to a particular URL is redirected, the final issuer of the
    configuration is based on the final URL in the redirection chain.

Or, perhaps "...MUST exactly match the _root_ of the configuration URL"? 
Is the "issuer" of a URL commonly understood to have the definition 
implied here (including John's comment about including a path)? It seems 
like the term should be defined clearly somewhere in the document. There 
are a lot of references to it with partial definitions, which a reader 
could try to pull together to create a comprehensive definition, but it 
seems better to just define it well up-front.

--Amanda

On 08/22/2012 10:11 AM, Justin Richer wrote:
> The "issuer" is the bit of the URL that's before the 
> .well-known/openid-configuration, so 
> "https://server.example.com/.well-known/openid-configuration" has an 
> issuer of "https://server.example.com/" as the example states. If it 
> could be worded more clearly (which I'm sure it could, because I think 
> I wrote that paragraph), then please suggest better wording.
>
>  -- Justin
>
> On 08/22/2012 02:55 AM, Roland Hedberg wrote:
>> Hi!
>>
>> Keeping tabs on issuer is important since it's coupled to which keys are
>> used.
>>
>> Everything starts with Section 3.3 in
>> http://openid.net/specs/openid-connect-discovery-1_0.html
>>
>> "If the configuration response contains the issuer element, the value
>> MUST exactly match the issuer for the URL that was directly used to
>> retrieve the configuration."
>>
>> I had a bit of a problem parsing this sentence but my interpretation is
>> that issuer is the location URL you find using SWD.
>>
>> Using the example, if you get:
>>
>> HTTP/1.1 200 OK
>> Content-Type: application/json
>>
>> {
>>   "locations":["https://server.example.com"]
>> }
>>
>> And then does a GET on
>> https://server.example.com/.well-known/openid-configuration then
>>
>> issuer == "https://server.example.com"
>>
>> issuer is *not* equal to the URL I used to get the configuration.
>>
>> Right ?
>>
>> -- Roland
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120822/6604007f/attachment.html>


More information about the Openid-specs-ab mailing list