DNS Based OpenID Connect Discovery

From IIW
Jump to: navigation, search

DNS BASED Open ID Connect Discovery

Wednesday 1H

Convener: Marcos Sanz (on video conference from Germany) & Mike Schwarz

Notes-taker(s): Mike Schwartz

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Discussed draft created by Marcos Sanz, which can be found here:



1. DNS is already in use for discovery, while Webfinger is used only for OpenID Connect.

2. DNS is probably more secure then a web service


1. RP developers will have to support both methods, because some IDP's may support one or the other.

2. RP developers will need a DNS client library to resolve discovery, versus using a 100% web tools.

3. Webfinger can handle more complex discovery rules, especially where email is at the top level, but there may be a number of underlying OpenID Providers. For example, let's say there are OP's at us.corp.com, emea.corp.com, and china.corp.com.  But... all email for users is at ___@corp.com for simplicity. DNS might struggle to implement the business logic for this scenario.

4. Oversimplifying a little... in some large enterprise environments, coordination with the "DNS department" adds some complexity to a rollout where OpenID Connect is primarily an operational concern of the "web department"

Although there was a fair amount of skepticism, there did seem to be a case for supporting this, as it would be sufficient in the vast number of cases, and management of a one-off discovery service is not ideal for organizations.