- changed milestone to Implementer's Draft
-
assigned issue to
Messages 2.1.2.1 iss clarification
iss may need clarification that it is a https: scheme URI in sec 2.1.2.1
One or more interop participants are using host names as issuer without a scheme
This is clear in discovery.
In Messages the definition of issuer identifier Verifiable identifier for an Issuer. An Issuer Identifier is a URL using the https scheme that contains scheme, host, and OPTIONALLY, port number and path components. (No query or fragment components MAY be present.)
Also Sec 9.14
OpenID Connect supports multiple issuers per Host and Port combination. The issuer returned by discovery MUST exactly match the value of iss in the ID Token.
OpenID Connect treats the path component of any URI as part of the user identifier. For instance, the subject "1234" with an issuer of "https://example.com" is not equivalent to the subject "1234" with an issuer of "https://example.com/sales".
Comments (2)
-
-
- changed status to resolved
Fixed
#858- Incorporated elements of the Issuer Identifier definition into the "iss" Claim description.→ <<cset d09eeb3a2bf8>>
- Log in to comment
We will copy elements of the Issuer Identifier definition into the "iss" definition. In particular, we will say that "iss" must be a URL using the "https:" scheme.