<html><head><meta http-equiv="Content-Type" content="text/html charset=iso-8859-1"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Issuer is equivalent to EntityID in SAML. Redirects should not change the value.<div><br></div><div>The configuration meta-data of the issuer is at a known location relative to the Issuer URL value.</div><div><br></div><div>The check in 3.3 is optional to avoid misconfiguration of the IDP if it has multiple issuers.</div><div><br></div><div>If you are trying to get the configuration for <a class="moz-txt-link-rfc2396E" href="https://server.example.com/.well-known/openid-configuration">"https://server.example.com</a>" and it comes back with a meta-data file that has an issuer of <a class="moz-txt-link-rfc2396E" href="https://server.example.com/.well-known/openid-configuration">"https://server.example.com</a>/customer1" or something else you don't take the issuer value from the meta-data you throw an error due to having the wrong file.</div><div><br></div><div>So yes that needs a better explanation and some examples.</div><div><br></div><div>John </div><div><br></div><div><br><div><div>On 2012-08-22, at 11:23 AM, Amanda Anganes <<a href="mailto:aanganes@mitre.org">aanganes@mitre.org</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
<div bgcolor="#FFFFFF" text="#000000">
How about (this replaces the entire text of section 3.3. The
redirection bit is important but is stated oddly in the original):<br>
<blockquote>If the configuration response contains the issuer
element, the value MUST exactly match the issuer of the final
configuration URL. For example, if the issuer element is returned
from the configuration at
<a class="moz-txt-link-rfc2396E" href="https://server.example.com/.well-known/openid-configuration">"https://server.example.com/.well-known/openid-configuration"</a>, its
value must be exactly <a class="moz-txt-link-rfc2396E" href="https://server.example.com/">"https://server.example.com/"</a>. If the
original request to a particular URL is redirected, the final
issuer of the configuration is based on the final URL in the
redirection chain.<br>
</blockquote>
Or, perhaps "...MUST exactly match the <u>root</u> of the
configuration URL"? Is the "issuer" of a URL commonly understood to
have the definition implied here (including John's comment about
including a path)? It seems like the term should be defined clearly
somewhere in the document. There are a lot of references to it with
partial definitions, which a reader could try to pull together to
create a comprehensive definition, but it seems better to just
define it well up-front. <br>
<br>
--Amanda<br>
<br>
<div class="moz-cite-prefix">On 08/22/2012 10:11 AM, Justin Richer
wrote:<br>
</div>
<blockquote cite="mid:5034E8A2.6070504@mitre.org" type="cite">The
"issuer" is the bit of the URL that's before the
.well-known/openid-configuration, so
<a class="moz-txt-link-rfc2396E" href="https://server.example.com/.well-known/openid-configuration">"https://server.example.com/.well-known/openid-configuration"</a> has
an issuer of <a class="moz-txt-link-rfc2396E" href="https://server.example.com/">"https://server.example.com/"</a> as the example states.
If it could be worded more clearly (which I'm sure it could,
because I think I wrote that paragraph), then please suggest
better wording.
<br>
<br>
-- Justin
<br>
<br>
On 08/22/2012 02:55 AM, Roland Hedberg wrote:
<br>
<blockquote type="cite">Hi!
<br>
<br>
Keeping tabs on issuer is important since it's coupled to which
keys are
<br>
used.
<br>
<br>
Everything starts with Section 3.3 in
<br>
<a class="moz-txt-link-freetext" href="http://openid.net/specs/openid-connect-discovery-1_0.html">http://openid.net/specs/openid-connect-discovery-1_0.html</a>
<br>
<br>
"If the configuration response contains the issuer element, the
value
<br>
MUST exactly match the issuer for the URL that was directly used
to
<br>
retrieve the configuration."
<br>
<br>
I had a bit of a problem parsing this sentence but my
interpretation is
<br>
that issuer is the location URL you find using SWD.
<br>
<br>
Using the example, if you get:
<br>
<br>
HTTP/1.1 200 OK
<br>
Content-Type: application/json
<br>
<br>
{
<br>
"locations":[<a class="moz-txt-link-rfc2396E" href="https://server.example.com/">"https://server.example.com"</a>]
<br>
}
<br>
<br>
And then does a GET on
<br>
<a class="moz-txt-link-freetext" href="https://server.example.com/.well-known/openid-configuration">https://server.example.com/.well-known/openid-configuration</a> then
<br>
<br>
issuer == <a class="moz-txt-link-rfc2396E" href="https://server.example.com/">"https://server.example.com"</a>
<br>
<br>
issuer is *not* equal to the URL I used to get the
configuration.
<br>
<br>
Right ?
<br>
<br>
-- Roland
<br>
_______________________________________________
<br>
Openid-specs-ab mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<br>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
<br>
</blockquote>
<br>
_______________________________________________
<br>
Openid-specs-ab mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<br>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
<br>
</blockquote>
<br>
</div>
_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>http://lists.openid.net/mailman/listinfo/openid-specs-ab<br></blockquote></div><br></div></body></html>