Include issuer finding in Discovery

[jumbojett]

There are two steps to discovery:

1. figuring out which "issuer" to use for a given user
2. figuring out the configuration once you have the issuer

One way of supporting this feature is utilizing an account chooser.

1. look for the "iss" parameter on a login page for your issuer
2. once you have that, you can get the configuration, and go
   it's particularly useful if you're logging in using multiple issuers

Server discovery in Java
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/blob/master/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/ThirdPartyIssuerService.java

• Effectively, if it gets an "iss" parameter, it uses that as the issuer.
  If it doesn't, it redirects you to the account chooser URL
  This gets tied into the rest of the client filter that does the heavy lifting.

[identitymonk]

yes in fact, when constructed, the OpenID Connect configuration ask for the base provider URL to which it automatically add the /.well-known/openid-configuration suffix. Then the $wellKnown value is loaded with all the openid server properties, including the issuer url.

Then in the function verifyJWTClaims the return value should be:

return (($claims->iss == $this->wellKnow->issuer)
&& (($claims->aud == $this->clientID) || (in_array($this->clientID, $claims->aud)))
&& ($claims->nonce == $this->getNonce())
&& ( !isset($claims->exp) || $claims->exp >= time())
&& ( !isset($claims->nbf) || $claims->nbf <= time())
&& ( !isset($claims->at_hash) || $claims->at_hash == $expecte_at_hash )

and not:

return (($claims->iss == $this->getProviderURL())
&& (($claims->aud == $this->clientID) || (in_array($this->clientID, $claims->aud)))
&& ($claims->nonce == $this->getNonce())
&& ( !isset($claims->exp) || $claims->exp >= time())
&& ( !isset($claims->nbf) || $claims->nbf <= time())
&& ( !isset($claims->at_hash) || $claims->at_hash == $expecte_at_hash )

Cause the providerURL can be very different of the issuerURL.

JF