Open ID Connect hint on the URL – fight IP “authentication’ change EZproxy!

From IIW

Open ID Connect

Tuesday 5G Convener: Judith Bush

Notes-taker(s): Judith Bush

Tags for the session - technology discussed/ideas considered:

Discovery, EZproxy

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

IIW22 TU 5G OpenID Connect 1.png

<?xml version="1.0" encoding="UTF-8" standalone="no"?>

OpenID Connect uses WebFinger[RFC7033] to locate the OpenID Provider for an End-User. Once the OpenID Provider has been identified, the configuration information for that OP is retrieved from a well-known location as a JSON document, including its OAuth 2.0 endpoint locations. "   Issuer discovery is OPTIONAL; if a Relying Party knows the OP's Issuer location through an out-of-band mechanism, it can skip this step and proceed to Section 4.   issuer

REQUIRED. URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.

  • Oauth flows don’t match the library flow model
  • Will look into Google’s AMP protocol

IIW22 TU 5G OpenID Connect 2.png