I've been trying to understand the exact rules around the issuer (which MUST be a HTTPS url) in the dynamically discovered OP metadata, the issuer and iss fields that need to match, as well as the requirement for iss and sub to be the same and in accordance with the subject syntax types (and thus can't be an HTTPS uri).
As I understand it, there's two valid subject_syntax_types at the moment defined in this specifciation:
JWK Thumbprint URI
DID
I made up the following requirements from reading the spec:
When dynamic discovery of Self-Issued OpenID Provider Metadata is used, the issuer property in the metadata is REQUIRED, and MUST be an "URL using the https scheme with no query or fragment component that the Self-Issued OP asserts as its Issuer Identifier. MUST be identical to the iss Claim value in ID Tokens issued from this Self-Issued OP." (see https://openid.github.io/SIOPv2/openid-connect-self-issued-v2-wg-draft.html#section-6.1-6.2.2.1)
So if we combine all these requirements, I'm not sure how the issuer field can be an https url, the issuer and iss fields need to be the same, and where the iss and sub claims also need to be the same, and the sub claim can only be a JWK thumbprint or a did. It seems you can't satisfy all those requirements. You can either:
Make the iss and sub the same and in accordance with one of the subject syntax types (did or jwk), but not match the issuer https url
Make the iss and sub take the value of the issuer https URL, but then you won't align with the subject syntax types supported. Also I'm not sure where you'd extract the key material from (as you can't use jwks_uri in case of SIOP).
Still learning the ins and outs of the spec, so maybe I'm missing some specific connection here.
I've been trying to understand the exact rules around the
issuer(which MUST be a HTTPS url) in the dynamically discovered OP metadata, theissuerandissfields that need to match, as well as the requirement forissandsubto be the same and in accordance with the subject syntax types (and thus can't be an HTTPS uri).As I understand it, there's two valid subject_syntax_types at the moment defined in this specifciation:
I made up the following requirements from reading the spec:
subclaims of an Self-Issued ID Token defined in this specification are "urn:ietf:params:oauth:jwk-thumbprintfor JWK Thumbprint Subject Syntax Type anddid:for Decentralized Identifier Subject Syntax Type." (see https://openid.github.io/SIOPv2/openid-connect-self-issued-v2-wg-draft.html#section-11.1-2.3)issand thesubclaims are the same." (see https://openid.github.io/SIOPv2/openid-connect-self-issued-v2-wg-draft.html#section-2.1-2.4.1, and also hinted at in other parts of the spec)issuerproperty in the metadata is REQUIRED, and MUST be an "URL using thehttpsscheme with no query or fragment component that the Self-Issued OP asserts as its Issuer Identifier. MUST be identical to theissClaim value in ID Tokens issued from this Self-Issued OP." (see https://openid.github.io/SIOPv2/openid-connect-self-issued-v2-wg-draft.html#section-6.1-6.2.2.1)So if we combine all these requirements, I'm not sure how the
issuerfield can be anhttpsurl, theissuerandissfields need to be the same, and where theissandsubclaims also need to be the same, and thesubclaim can only be a JWK thumbprint or a did. It seems you can't satisfy all those requirements. You can either:issandsubthe same and in accordance with one of the subject syntax types (did or jwk), but not match theissuerhttps urlissandsubtake the value of theissuerhttps URL, but then you won't align with the subject syntax types supported. Also I'm not sure where you'd extract the key material from (as you can't usejwks_uriin case of SIOP).Still learning the ins and outs of the spec, so maybe I'm missing some specific connection here.