[Openid-specs-ab] Static webfinger for a domain

Richer, Justin P. jricher at mitre.org
Thu Sep 25 13:42:31 UTC 2014


We're looking to set up a static webfinger responder for an entire domain, and I'm not quite sure what to do. This file absolutely must be static, as no dynamic processing or server side code is allowed in this environment (at least, not without a writ of pardon from the president, so let's call it impossible). It's simplest for us to just return a file with an HTTP 200, and we should be able to set the media type. Since all accounts on the domain are pointed to the same server, we can return the same "rel" link every time. This is great, but it makes me scratch my head about what to do with the "subject" field in the response. It's only a "SHOULD" in the webfinger RFC, so we could leave it out. But are webfinger clients (particularly OIDC clients that do discovery) expecting it? If we do leave it in, what value should it take? It can't reflect the value of the "resource" parameter, since we can't have anything on the server to process the query parameters for this. We could put in the base URL of the domain, or some kind of wildcard perhaps. What is the best practice? I can't really see anything of note in the RFC or the OIDC Discovery docs for this case.

Alternatively, Webfinger says we can return a redirect, "like a 307" but doesn't specify much beyond that. It might be possible for us to have a rewrite rule that captures the query parameters, but this is likely to be trickier to implement. Additionally, are webfinger clients able to follow these redirects properly? I just checked our own codebase, and I know that we don't. (But at least we have a TODO in there for it! Someday!)

What is the best practice here, and what are other people doing? We can't be the only ones with such a top-level domain constraint.

 -- Justin


More information about the Openid-specs-ab mailing list