"The idea is simple, every OpenID Connect provider should offer a a JSON document under the /.well-known/openid-configuration URL below its base-address (often also called the authority). This document has information about the issuer name, endpoint URLs, key material and capabilities of the provider, e.g. which scopes or response types it supports."
So instead of every user of aurelia-authentication hard coding this in e.g. a file called authConfig.js or something similar perhaps aurelia-authentication could use these values "behind the scenes" so to speak. That way the client app will adapt to any changes in the OpenId based identity provider without having to change any configuration files or hard coded values. I also believe supporting the use of the discovery end point will make life a lot easier for many programmers.
Another quote is from the same document as mentioned above:
"Recently we’ve been involved in a penetration test against client libraries, and one technique the pen-testers used was compromising discovery. Based on their feedback, the following extra checks should be done when consuming a discovery document:
HTTPS must be used for the discovery endpoint and all protocol endpoints
The issuer name should match the authority specified when downloading the document (that’s actually a MUST in the discovery spec)
The protocol endpoints should be “beneath” the authority – and not on a different server or URL (this could be especially interesting for multi-tenant OPs)
The OpenId specification mandates(?) a so-called discovery endpoint. Quoting from an article at leastprivilege.com (https://leastprivilege.com/2017/01/06/bootstrapping-openid-connect-discovery/):
"The idea is simple, every OpenID Connect provider should offer a a JSON document under the /.well-known/openid-configuration URL below its base-address (often also called the authority). This document has information about the issuer name, endpoint URLs, key material and capabilities of the provider, e.g. which scopes or response types it supports."
So instead of every user of aurelia-authentication hard coding this in e.g. a file called authConfig.js or something similar perhaps aurelia-authentication could use these values "behind the scenes" so to speak. That way the client app will adapt to any changes in the OpenId based identity provider without having to change any configuration files or hard coded values. I also believe supporting the use of the discovery end point will make life a lot easier for many programmers.
Another quote is from the same document as mentioned above:
"Recently we’ve been involved in a penetration test against client libraries, and one technique the pen-testers used was compromising discovery. Based on their feedback, the following extra checks should be done when consuming a discovery document: