Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Note that the Issuer Identifier URL Should Have the Metadata Headers #128

Open
dshanske opened this issue Nov 7, 2023 · 9 comments
Open

Comments

@dshanske
Copy link
Member

dshanske commented Nov 7, 2023

Amend the specification, per #127 discussion for an extension, to note that due to the fact the issuer URL MUST have the metadata header for discovery purposes.

@jalcine
Copy link

jalcine commented Nov 7, 2023

Looked at the related PR and this is a good idea; no notes!

(Originally published at: https://jacky.wtf/2023/11/iabv)

@dshanske
Copy link
Member Author

dshanske commented Nov 8, 2023

I'm trying to figure out where I would put this note if I did.

@dshanske
Copy link
Member Author

Being as the authorization endpoint and the flow uses the issuer identified as part of the flow, the header should probably also be served there for verification purposes.

@omz13
Copy link

omz13 commented Nov 27, 2023

the issuer URL

What URL is this?

should probably also

What are you trying to say? Your phrasing here and elsewhere is extremely difficult to understand.

@dshanske dshanske changed the title Note that the Issuer URL Must Have the Metadata Headers Note that the Issuer Identifier URL Must Have the Metadata Headers Nov 27, 2023
@dshanske
Copy link
Member Author

The URL is the one provided during as the issuer parameter in the metadata endpoint and returned by the authorization endpoint.

@omz13
Copy link

omz13 commented Nov 27, 2023

provided during as

Care to re-phrase that?

returned by the authorization endpoint

You mean the IndieAuth Server Metadata.

And must have a metadata header conflicts with the case where discovery is done per the OAuth fallback to via .well-known per RFC8414.

@dshanske
Copy link
Member Author

dshanske commented Nov 27, 2023

How so? I'm fine with SHOULD then. I don't think it conflicts saying that when the headers are served by a site, it must be served there.

Also, it doesn't note well-known as a fallback in the spec specifically.

@dshanske dshanske changed the title Note that the Issuer Identifier URL Must Have the Metadata Headers Note that the Issuer Identifier URL Should Have the Metadata Headers Nov 27, 2023
@omz13
Copy link

omz13 commented Nov 29, 2023

Also, it doesn't note well-known as a fallback in the spec specifically.

The spec specifically states:

For compatibility with other OAuth 2.0 implementations, use of the .well-known path as defined in RFC8414 is RECOMMENDED but optional

@dshanske
Copy link
Member Author

RECOMMENDED is the equivalent of SHOULD according to the IETF definitions of those terms. Either way, the spec says the issuer identifier is a prefix of the metadata endpoint, not the URL of the endpoint itself, so it wouldn't have the .well-known in your case. The idea being, in your Oauth 2.0 compatible implementation, if your metadata endpoint is example.org/.well-known, your issuer identifier would be example.org and this would recommend you offer the metadata endpoint header on the page served at example.org.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

3 participants