Improve clarity of sentence about issuer value

This sentence:

The issuer value returned MUST be identical to the Issuer URL that was directly used to retrieve the configuration information.

could be misinterpreted because it doesn’t not describe the Issuer URL being the prefix used for .well-known/openid-configuration to retrieve the metadata.

Compare this to the equivalent sentence from https://www.rfc-editor.org/rfc/rfc8414#section-6.2 :

To prevent this, the client MUST ensure that the issuer identifier URL it is using as the prefix for the metadata request exactly matches the value of the "issuer" metadata value in the authorization server metadata document received by the client.

‌

Comments (3)