Migration - openid.realm description now bogus
Issue #934
resolved
It was using the key pair before, but now is just comparing iss. So, this text should also change.
Currently:
If the authority section of Authorization Endpoint URI is different from the authority section of the OpenID 2.0 OP’s OP Endpoint URL, the ID Token returned from the authentication request MUST be signed using the OP’s private key. The OP's corresponding public key MUST be published through the OpenID 2.0 Identifier URL with application/jwk-set+json mime-type in response to a GET request with an Accept header set to application/jwk-set+json.
Change to:
If the authority section of Authorization Endpoint URI is different from the authority section of the OpenID 2.0 OP’s OP Endpoint URL, the client MUST issue a GET request to it with an Accept header set to application/json to obtain the value of iss claim in it. The value of the iss claim obtained this way and the value of the iss claim in the ID Token MUST exactly match.
Comments (3)
-
-
We will proceed as proposed.
-
reporter
- changed status to resolved
Fixed with change set 0752b8f
- Log in to comment
- Assignee
- Type
- Priority
- Status
- resolved
- Component
- Migration
- Milestone
- Implementer's Draft
- Version
- –
- Votes
- 0
- Watchers
- 0
Agree, but with spanx verb around the literals.