-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Note that the Issuer Identifier URL Should Have the Metadata Headers #128
Comments
Looked at the related PR and this is a good idea; no notes! (Originally published at: https://jacky.wtf/2023/11/iabv) |
I'm trying to figure out where I would put this note if I did. |
Being as the authorization endpoint and the flow uses the issuer identified as part of the flow, the header should probably also be served there for verification purposes. |
What URL is this?
What are you trying to say? Your phrasing here and elsewhere is extremely difficult to understand. |
The URL is the one provided during as the issuer parameter in the metadata endpoint and returned by the authorization endpoint. |
Care to re-phrase that?
You mean the IndieAuth Server Metadata. And must have a metadata header conflicts with the case where discovery is done per the OAuth fallback to via .well-known per RFC8414. |
How so? I'm fine with SHOULD then. I don't think it conflicts saying that when the headers are served by a site, it must be served there. Also, it doesn't note well-known as a fallback in the spec specifically. |
The spec specifically states:
|
RECOMMENDED is the equivalent of SHOULD according to the IETF definitions of those terms. Either way, the spec says the issuer identifier is a prefix of the metadata endpoint, not the URL of the endpoint itself, so it wouldn't have the .well-known in your case. The idea being, in your Oauth 2.0 compatible implementation, if your metadata endpoint is example.org/.well-known, your issuer identifier would be example.org and this would recommend you offer the metadata endpoint header on the page served at example.org. |
Amend the specification, per #127 discussion for an extension, to note that due to the fact the issuer URL MUST have the metadata header for discovery purposes.
The text was updated successfully, but these errors were encountered: