Messages 2.1.2.1 iss clarification

Issue #858 resolved
John Bradley
created an issue

iss may need clarification that it is a https: scheme URI in sec 2.1.2.1

One or more interop participants are using host names as issuer without a scheme

This is clear in discovery.

In Messages the definition of issuer identifier Verifiable identifier for an Issuer. An Issuer Identifier is a URL using the https scheme that contains scheme, host, and OPTIONALLY, port number and path components. (No query or fragment components MAY be present.)

Also Sec 9.14

OpenID Connect supports multiple issuers per Host and Port combination. The issuer returned by discovery MUST exactly match the value of iss in the ID Token.

OpenID Connect treats the path component of any URI as part of the user identifier. For instance, the subject "1234" with an issuer of "https://example.com" is not equivalent to the subject "1234" with an issuer of "https://example.com/sales".

Comments (2)

  1. Log in to comment