[Openid-specs-ab] Static webfinger for a domain

George Fletcher gffletch at aol.com
Thu Sep 25 14:21:53 UTC 2014

I'm very interested in this as well as I won't be able to deploy a 
dynamic endpoint on our domain either. My plan was to use the redirect 
mechanism to point the queries to an endpoint I do control. However, if 
clients don't implement that feature it's not going to work.


On 9/25/14, 9:42 AM, Richer, Justin P. wrote:
> We're looking to set up a static webfinger responder for an entire domain, and I'm not quite sure what to do. This file absolutely must be static, as no dynamic processing or server side code is allowed in this environment (at least, not without a writ of pardon from the president, so let's call it impossible). It's simplest for us to just return a file with an HTTP 200, and we should be able to set the media type. Since all accounts on the domain are pointed to the same server, we can return the same "rel" link every time. This is great, but it makes me scratch my head about what to do with the "subject" field in the response. It's only a "SHOULD" in the webfinger RFC, so we could leave it out. But are webfinger clients (particularly OIDC clients that do discovery) expecting it? If we do leave it in, what value should it take? It can't reflect the value of the "resource" parameter, since we can't have anything on the server to process the query parameters for this. We could
>   put in the base URL of the domain, or some kind of wildcard perhaps. What is the best practice? I can't really see anything of note in the RFC or the OIDC Discovery docs for this case.
> Alternatively, Webfinger says we can return a redirect, "like a 307" but doesn't specify much beyond that. It might be possible for us to have a rewrite rule that captures the query parameters, but this is likely to be trickier to implement. Additionally, are webfinger clients able to follow these redirects properly? I just checked our own codebase, and I know that we don't. (But at least we have a TODO in there for it! Someday!)
> What is the best practice here, and what are other people doing? We can't be the only ones with such a top-level domain constraint.
>   -- Justin
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

George Fletcher <http://connect.me/gffletch>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140925/9b0bab48/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: XeC
Type: image/png
Size: 81078 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140925/9b0bab48/attachment-0001.png>

More information about the Openid-specs-ab mailing list