Testing OIDC client registration

Liam Hoekenga liamr at umich.edu
Wed May 15 18:29:40 EDT 2019

> One question before I try this, though: why do I have to manually download
> the OP’s metadata and install it? Isn’t part of the whole thing the
> module’s ability to dynamically discover and download the OP’s information?

I think that it's supposed to be able to download the metadata.

I believe if you give it a hostname, it's supposed to try to find the
well-known information, and I think that username at example.edu looks require
that .well-known information be located at https://example.edu.

I think that hostname based discovery has issues (at least it did in
mid-March).   If I don't specify the protocol, it complains..

[Fri Mar 15 16:09:00 2019] [error] [client xxx.xxx.xxx.xxx]
oidc_metadata_provider_is_valid: requested issuer (idp.example.edu) does
not match the "issuer" value in the provider metadata file:
https://idp.example.edu, referer: https://sp.example.umich.edu/oidc/

The spec says iss is supposed to be a case sensitive HTTPS url.   I had
assumed the hostname was sufficient based on the default form and "
mitreid.org" (but even mitreid.org generates an error, requiring "
https://mitreid.org" to work).

I asked the developer (Hans Zandbelt) and he said he believed that it was
due to a change at some point in the code where he started to put more
strict requirements on the provided issuer values because of recent attacks
but failed to adapt the HTML discovery pages.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190515/b60508c4/attachment.html>

More information about the users mailing list