I've been trying to understand the exact rules around the issuer (which MUST be a HTTPS url) in the dynamically discovered OP metadata, the issuer and iss fields that need to match, as well as the requirement for iss and sub to be the same and in accordance with the subject syntax types (and thus can't be an HTTPS uri).
As I understand it, there's two valid subject_syntax_types at the moment defined in this specifciation:
JWK Thumbprint URI
DID
I made up the following requirements from reading the spec:
When dynamic discovery of Self-Issued OpenID Provider Metadata is used, the issuer property in the metadata is REQUIRED, and MUST be an "URL using the https scheme with no query or fragment component that the Self-Issued OP asserts as its Issuer Identifier. MUST be identical to the iss Claim value in ID Tokens issued from this Self-Issued OP." (see https://openid.github.io/SIOPv2/openid-connect-self-issued-v2-wg-draft.html#section-6.1-6.2.2.1)
So if we combine all these requirements, I'm not sure how the issuer field can be an https url, the issuer and iss fields need to be the same, and where the iss and sub claims also need to be the same, and the sub claim can only be a JWK thumbprint or a did. It seems you can't satisfy all those requirements. You can either:
Make the iss and sub the same and in accordance with one of the subject syntax types (did or jwk), but not match the issuer https url
Make the iss and sub take the value of the issuer https URL, but then you won't align with the subject syntax types supported. Also I'm not sure where you'd extract the key material from (as you can't use jwks_uri in case of SIOP).
Still learning the ins and outs of the spec, so maybe I'm missing some specific connection here.
I've been trying to understand the exact rules around the
issuer
(which MUST be a HTTPS url) in the dynamically discovered OP metadata, theissuer
andiss
fields that need to match, as well as the requirement foriss
andsub
to be the same and in accordance with the subject syntax types (and thus can't be an HTTPS uri).As I understand it, there's two valid subject_syntax_types at the moment defined in this specifciation:
I made up the following requirements from reading the spec:
sub
claims of an Self-Issued ID Token defined in this specification are "urn:ietf:params:oauth:jwk-thumbprint
for JWK Thumbprint Subject Syntax Type anddid:
for Decentralized Identifier Subject Syntax Type." (see https://openid.github.io/SIOPv2/openid-connect-self-issued-v2-wg-draft.html#section-11.1-2.3)iss
and thesub
claims are the same." (see https://openid.github.io/SIOPv2/openid-connect-self-issued-v2-wg-draft.html#section-2.1-2.4.1, and also hinted at in other parts of the spec)issuer
property in the metadata is REQUIRED, and MUST be an "URL using thehttps
scheme with no query or fragment component that the Self-Issued OP asserts as its Issuer Identifier. MUST be identical to theiss
Claim value in ID Tokens issued from this Self-Issued OP." (see https://openid.github.io/SIOPv2/openid-connect-self-issued-v2-wg-draft.html#section-6.1-6.2.2.1)So if we combine all these requirements, I'm not sure how the
issuer
field can be anhttps
url, theissuer
andiss
fields need to be the same, and where theiss
andsub
claims also need to be the same, and thesub
claim can only be a JWK thumbprint or a did. It seems you can't satisfy all those requirements. You can either:iss
andsub
the same and in accordance with one of the subject syntax types (did or jwk), but not match theissuer
https urliss
andsub
take the value of theissuer
https URL, but then you won't align with the subject syntax types supported. Also I'm not sure where you'd extract the key material from (as you can't usejwks_uri
in case of SIOP).Still learning the ins and outs of the spec, so maybe I'm missing some specific connection here.