- changed status to open
Improve clarity of sentence about issuer value
Issue #2031
resolved
This sentence:
The
issuer
value returned MUST be identical to the Issuer URL that was directly used to retrieve the configuration information.
could be misinterpreted because it doesn’t not describe the Issuer URL being the prefix used for .well-known/openid-configuration to retrieve the metadata.
Compare this to the equivalent sentence from https://www.rfc-editor.org/rfc/rfc8414#section-6.2 :
To prevent this, the client MUST ensure that the issuer identifier URL it is using as the prefix for the metadata request exactly matches the value of the "issuer" metadata value in the authorization server metadata document received by the client.
Comments (3)
-
reporter -
reporter To be fixed by https://bitbucket.org/openid/connect/pull-requests/624
-
reporter - changed status to resolved
- Log in to comment
We agreed to improve this on the 14-Aug-23 working group call.