Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Using root_url in #webfinger_response can violate specification #171

Open
sato11 opened this issue Jul 11, 2022 · 1 comment · May be fixed by #172
Open

Using root_url in #webfinger_response can violate specification #171

sato11 opened this issue Jul 11, 2022 · 1 comment · May be fixed by #172

Comments

@sato11
Copy link
Contributor

sato11 commented Jul 11, 2022

The documentation says in 2. OpenID Provider Issuer Discovery:

The Issuer location MUST be returned in the WebFinger response as the value of the href member of a links array element with rel member value http://openid.net/specs/connect/1.0/issuer.

which then becomes the premise of 4. Obtaining OpenID Provider Configuration Information:

OpenID Providers supporting Discovery MUST make a JSON document available at the path formed by concatenating the string /.well-known/openid-configuration to the Issuer.

It seems it is assumed that our href must be exactly what our issuer configuration points to. And since issuer can be configured so that it does not always be the root_url, I feel #webfinger_response should return issuer value and not the root_url.

For example, when issuer is configured like this;

Doorkeeper::OpenidConnect.configure do
  issuer 'https://example.com/issuer1'
end

which is justified by definition, quoting from readme:

issuer: Identifier for the issuer of the response (i.e. your application URL). The value is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.

the response should be like this, provided that we have provider configuration available at https://example.com/issuer1/.well-known/openid-configuration.

{
  "subject": "[email protected]",
  "links": [
    {
      "rel": "http://openid.net/specs/connect/1.0/issuer",
      "href": "https://example.com/issuer1"
    }
  ]
}
@sato11 sato11 linked a pull request Jul 11, 2022 that will close this issue
@calleluks
Copy link

We had the same issue and merged #172 into the fork we maintain with great success. Thanks for doing the work @sato11! I hope this can also be merged upstream.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants