Overview [1]#

OpenID Provider Issuer Discovery is part of OpenID Connect Discovery and is the process of determining the location of the determining the OpenID Connect Provider for a particular End-User

OpenID Provider Issuer Discovery is OPTIONAL.

If a Relying Party knows the OpenID Connect Provider's Issuer location through an out-of-band mechanism, then the Relying Party can skip OpenID Provider Issuer Discovery.

OpenID Provider Issuer Discovery requires the following information to make a discovery request:

  • resource - Identifier for the target End-User that is the subject of the discovery request.
  • host - Server where a WebFinger service is hosted.
  • rel - URI identifying the type of service whose location is being requested.

OpenID Connect uses the following discoverable rel value in WebFinger (RFC 7033):

  • OpenID Connect Issuer (http://openid.net/specs/connect/1.0/issuer)

The Relying Party applies normalization rules to the Identifier to determine the Resource and Host. Then it makes an HTTP GET request to the Host's WebFinger (RFC 7033) endpoint with the resource and rel parameters to obtain the location of the requested service. All WebFinger communication MUST utilize TLS in the manner described in Section 7.1.

The Issuer location MUST be returned in the WebFinger response as the value of the href member of a links array element with rel member value http://openid.net/specs/connect/1.0/issuer. (Per Section 7 of WebFinger RFC 7033, obtaining the WebFinger response may first involve following some redirects.)

The returned Issuer location MUST be a URI RFC 3986 with a URI Scheme component that MUST be HTTPS, a URI host component, and optionally, port and path components and no query or fragment components.

Note that since the Host and Resource values determined from the user input Identifier, as described in Section 2.1, are used as input to a WebFinger request, which can return an Issuer value using a completely different scheme, host, port, and URI Path, no relationship can be assumed between the user input Identifier string and the resulting Issuer location.

Before you can perform a Query for a resource you need the related problem of how to know, for some particular host, where to get the OpenID Provider Issuer Discovery data. The host-meta file, a well-known URL proposal from Web Host Metadata maybe helpful. (We have not seen any wide implementation of this).

For example the host-meta data for Google is here:


Which provides:

<?xml version='1.0' encoding='UTF-8'?>
<!-- NOTE: this host-meta end-point is a pre-alpha work in progress.   Don't rely on it. -->
<!-- Please follow the list at http://groups.google.com/group/webfinger -->
<XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0' 
  <hm:Host xmlns='http://host-meta.net/xrd/1.0'>gmail.com</hm:Host>
  <Link rel='lrdd' 
    <Title>Resource Descriptor</Title>

Now that we know the URL for the 'rel' parameter, we can query Google provides a OpenID Provider Issuer Discovery for Gmail users like: http://www.google.com/s2/webfinger/?q=windley@gmail.com which returned:

<?xml version='1.0'?>
<XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'>
	<Link rel='http://portablecontacts.net/spec/1.0' href='http://www-opensocial.googleusercontent.com/api/people/'/>
	<Link rel='http://portablecontacts.net/spec/1.0#me' href='http://www-opensocial.googleusercontent.com/api/people/103887646945247867113/'/>
	<Link rel='http://webfinger.net/rel/profile-page' href='http://www.google.com/profiles/windley' type='text/plain'/>
	<Link rel='http://microformats.org/profile/hcard' href='http://www.google.com/profiles/windley' type='text/plain'/>
	<Link rel='http://gmpg.org/xfn/11' href='http://www.google.com/profiles/windley' type='text/plain'/>
	<Link rel='http://specs.openid.net/auth/2.0/provider' href='http://www.google.com/profiles/windley'/>
	<Link rel='describedby' href='http://www.google.com/profiles/windley' type='text/plain'/>
	<Link rel='describedby' href='https://www.google.com/s2/webfinger/?q=windley@gmail.com&amp;fmt=foaf' type='application/rdf+xml'/>

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-8) was last changed on 15-Nov-2017 14:27 by jim