search

indieweb / indieauth

IndieAuth.net website code and IndieAuth Specification
52 stars 7 forks source link

Note that the Issuer Identifier URL Should Have the Metadata Headers #128

Open dshanske opened 11 months ago

dshanske commented 11 months ago

Amend the specification, per #127 discussion for an extension, to note that due to the fact the issuer URL MUST have the metadata header for discovery purposes.

jalcine commented 11 months ago

Looked at the related PR and this is a good idea; no notes!

(Originally published at: https://jacky.wtf/2023/11/iabv)

dshanske commented 11 months ago

I'm trying to figure out where I would put this note if I did.

dshanske commented 10 months ago

Being as the authorization endpoint and the flow uses the issuer identified as part of the flow, the header should probably also be served there for verification purposes.

omz13 commented 10 months ago

the issuer URL

What URL is this?

should probably also

What are you trying to say? Your phrasing here and elsewhere is extremely difficult to understand.

dshanske commented 10 months ago

The URL is the one provided during as the issuer parameter in the metadata endpoint and returned by the authorization endpoint.

omz13 commented 10 months ago

provided during as

Care to re-phrase that?

returned by the authorization endpoint

You mean the IndieAuth Server Metadata.

And must have a metadata header conflicts with the case where discovery is done per the OAuth fallback to via .well-known per RFC8414.

dshanske commented 10 months ago

How so? I'm fine with SHOULD then. I don't think it conflicts saying that when the headers are served by a site, it must be served there.

Also, it doesn't note well-known as a fallback in the spec specifically.

omz13 commented 10 months ago

Also, it doesn't note well-known as a fallback in the spec specifically.

The spec specifically states:

For compatibility with other OAuth 2.0 implementations, use of the .well-known path as defined in RFC8414 is RECOMMENDED but optional

dshanske commented 10 months ago

RECOMMENDED is the equivalent of SHOULD according to the IETF definitions of those terms. Either way, the spec says the issuer identifier is a prefix of the metadata endpoint, not the URL of the endpoint itself, so it wouldn't have the .well-known in your case. The idea being, in your Oauth 2.0 compatible implementation, if your metadata endpoint is example.org/.well-known, your issuer identifier would be example.org and this would recommend you offer the metadata endpoint header on the page served at example.org.