Open dshanske opened 11 months ago
Looked at the related PR and this is a good idea; no notes!
(Originally published at: https://jacky.wtf/2023/11/iabv)
I'm trying to figure out where I would put this note if I did.
Being as the authorization endpoint and the flow uses the issuer identified as part of the flow, the header should probably also be served there for verification purposes.
the issuer URL
What URL is this?
should probably also
What are you trying to say? Your phrasing here and elsewhere is extremely difficult to understand.
The URL is the one provided during as the issuer parameter in the metadata endpoint and returned by the authorization endpoint.
provided during as
Care to re-phrase that?
returned by the authorization endpoint
You mean the IndieAuth Server Metadata.
And must have a metadata header conflicts with the case where discovery is done per the OAuth fallback to via .well-known per RFC8414.
How so? I'm fine with SHOULD then. I don't think it conflicts saying that when the headers are served by a site, it must be served there.
Also, it doesn't note well-known as a fallback in the spec specifically.
Also, it doesn't note well-known as a fallback in the spec specifically.
The spec specifically states:
For compatibility with other OAuth 2.0 implementations, use of the .well-known path as defined in RFC8414 is RECOMMENDED but optional
RECOMMENDED is the equivalent of SHOULD according to the IETF definitions of those terms. Either way, the spec says the issuer identifier is a prefix of the metadata endpoint, not the URL of the endpoint itself, so it wouldn't have the .well-known in your case. The idea being, in your Oauth 2.0 compatible implementation, if your metadata endpoint is example.org/.well-known, your issuer identifier would be example.org and this would recommend you offer the metadata endpoint header on the page served at example.org.
Amend the specification, per #127 discussion for an extension, to note that due to the fact the issuer URL MUST have the metadata header for discovery purposes.