[Openid-specs-ab] Issuer issue

Mike Jones Michael.Jones at microsoft.com
Fri Aug 24 23:51:58 UTC 2012


If this hasn't already been done, could one of you file a bug to track the need for this additional explanation?

                                                                Thanks,
                                                                -- Mike

From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of John Bradley
Sent: Wednesday, August 22, 2012 8:38 AM
To: Amanda Anganes
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Issuer issue

Issuer is equivalent to EntityID in SAML.   Redirects should not change the value.

The configuration meta-data of the issuer is at a known location relative to the Issuer URL value.

The check in 3.3 is optional to avoid misconfiguration of the IDP if it has multiple issuers.

If you are trying to get the configuration for "https://server.example.com<https://server.example.com/.well-known/openid-configuration>"  and it comes back with a meta-data file that has an issuer of "https://server.example.com<https://server.example.com/.well-known/openid-configuration>/customer1" or something else you don't take the issuer value from the meta-data you throw an error due to having the wrong file.

So yes that needs a better explanation and some examples.

John


On 2012-08-22, at 11:23 AM, Amanda Anganes <aanganes at mitre.org<mailto:aanganes at mitre.org>> wrote:


How about (this replaces the entire text of section 3.3. The redirection bit is important but is stated oddly in the original):
If the configuration response contains the issuer element, the value MUST exactly match the issuer of the final configuration URL. For example, if the issuer element is returned from the configuration at "https://server.example.com/.well-known/openid-configuration"<https://server.example.com/.well-known/openid-configuration>, its value must be exactly "https://server.example.com/"<https://server.example.com/>. If the original request to a particular URL is redirected, the final issuer of the configuration is based on the final URL in the redirection chain.
Or, perhaps "...MUST exactly match the root of the configuration URL"? Is the "issuer" of a URL commonly understood to have the definition implied here (including John's comment about including a path)? It seems like the term should be defined clearly somewhere in the document. There are a lot of references to it with partial definitions, which a reader could try to pull together to create a comprehensive definition, but it seems better to just define it well up-front.

--Amanda
On 08/22/2012 10:11 AM, Justin Richer wrote:
The "issuer" is the bit of the URL that's before the .well-known/openid-configuration, so "https://server.example.com/.well-known/openid-configuration"<https://server.example.com/.well-known/openid-configuration> has an issuer of "https://server.example.com/"<https://server.example.com/> as the example states. If it could be worded more clearly (which I'm sure it could, because I think I wrote that paragraph), then please suggest better wording.

 -- Justin

On 08/22/2012 02:55 AM, Roland Hedberg wrote:

Hi!

Keeping tabs on issuer is important since it's coupled to which keys are
used.

Everything starts with Section 3.3 in
http://openid.net/specs/openid-connect-discovery-1_0.html

"If the configuration response contains the issuer element, the value
MUST exactly match the issuer for the URL that was directly used to
retrieve the configuration."

I had a bit of a problem parsing this sentence but my interpretation is
that issuer is the location URL you find using SWD.

Using the example, if you get:

HTTP/1.1 200 OK
Content-Type: application/json

{
  "locations":["https://server.example.com"<https://server.example.com/>]
}

And then does a GET on
https://server.example.com/.well-known/openid-configuration then

issuer == "https://server.example.com"<https://server.example.com/>

issuer is *not* equal to the URL I used to get the configuration.

Right ?

-- Roland
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120824/14daa0c5/attachment.html>


More information about the Openid-specs-ab mailing list