DNS Based OpenID Connect Discovery
DNS BASED Open ID Connect Discovery
Convener: Marcos Sanz (on video conference from Germany) & Mike Schwarz
Notes-taker(s): Mike Schwartz
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Discussed draft created by Marcos Sanz, which can be found here:
1. DNS is already in use for discovery, while Webfinger is used only for OpenID Connect.
2. DNS is probably more secure then a web service
1. RP developers will have to support both methods, because some IDP's may support one or the other.
2. RP developers will need a DNS client library to resolve discovery, versus using a 100% web tools.
3. Webfinger can handle more complex discovery rules, especially where email is at the top level, but there may be a number of underlying OpenID Providers. For example, let's say there are OP's at us.corp.com, emea.corp.com, and china.corp.com. But... all email for users is at firstname.lastname@example.org for simplicity. DNS might struggle to implement the business logic for this scenario.
4. Oversimplifying a little... in some large enterprise environments, coordination with the "DNS department" adds some complexity to a rollout where OpenID Connect is primarily an operational concern of the "web department"
Although there was a fair amount of skepticism, there did seem to be a case for supporting this, as it would be sufficient in the vast number of cases, and management of a one-off discovery service is not ideal for organizations.