Paul Hethmon | 27 Jan 23:38 2016

[OpenID] discovery url vs issuer

First, I haven’t seen any traffic from this list since joining a month ago, so if I’m off topic, please
let me know.

I am beginning conformance testing and seeing an unexpected error from the conformance tool. My setup is
that my issuer has a value like:

I’ve got my metadata at this URL:

With support for appending the value “.well-known/openid-configuration”. That returns a metadata
document with my issuer value as above.

Testing gives me:

0.000465 ------------ DiscoveryRequest ------------
0.000496 Provider info discover from ''

0.000503 --> URL:

0.161675 [ERROR] IssuerMismatch:'' != ''

So it’s obvious the tool is requiring the issuer value to be where the discovery request goes to and that it match.

Where in the spec does it say that? I’m not finding it. In the OpenID Connect Discovery 1.0 (errata set 1),
section 3 says:

REQUIRED. URL using the https scheme with no query or fragment component that the OP asserts as its Issuer
Identifier. If Issuer discovery is supported (seeSection 2), this value MUST be identical to the issuer
(Continue reading)

John Bradley | 18 Jan 14:47 2016

[OpenID] Opened Summit in Santiago

We are organizing a one day summit in Santiago Chile at the University de Chile on May 31, before the IETF
meeting in Buenos Aires the following week.

I will let people know once the eventbrite page for registrations is ready. 

This will be our first OPenID summit in the Southern hemisphere.

John B.
Attachment (smime.p7s): application/pkcs7-signature, 5843 bytes
general mailing list
general <at>
Steve Garing | 7 Dec 11:42 2015

[OpenID] Return Authorities to Client


Is there a standard way to return the authorities to a client?  I haven’t been able to get the authorities returned via standard functionality in the MITREid Connect project and we’d like the clients to have visibility of a users role to determine some client side functionality.

Would it correct to think that the clients can request and extra scope like ‘authorities’ and then provide the authorities in the id_token and from the userinfo endpoint?

general mailing list
general <at>
benutzerlogin | 30 Nov 18:27 2015

[OpenID] How to get started with OpenID


I would like to add OpenID login to my website. More precisely
WargamingID. But I can't find anywhere some kind of tutorial to do so. I
have asked web-masters who are using OpenID/WargamingID for login. I
have asked in several forums. But I don't get an answer. It looks like
OpenID is a big secret only accessible for some IT-professionals.
I'm using Joomla. Bad luck they excluded the OpenID-Extension with
Version 2.

I have read the developer section on OpenID homepage, but that's way to
advanced for me.

Is there anybody who could tell me how to get started as non-professional?

Or is OpenID to sophisticated for the general interested public?

Link to WargamingID API:

Thanks and kind regards,



Marek Mayer
Am Otterberg 73
95032 Hof
home_pw | 30 Oct 22:38 2015

[OpenID] Real estate, energy and openid

A little bit of feel good news.

US residential/commercial regulated real estate standards folks met again, last week. Ever growing, it saw interactions from the once Paraihia-staus "new homes"  folks (with rp dbs of new home data( and even the us federal government (and it's layers of contractors, agencies and govt labs -that I've tried hard to forgot I once work for).

Abways, aside from an solid but standard demo of using micrisoft/owin libs to build openid issuers and "account linking" rps that can also talk to amazon - based an openid issuer, we say something else (on paper) that really charcuterizes the true scope of openid.

For privacy reasons, utility companies don't share meter data with just anyone but a nice initiate is to allow id tokens to not only unlock api guards and meditate Web sessions but authorize unlocking website endpoints (to which that some user guarded website  akready showing other home listing dara might hyperlink). To be exact, to autorize some contractor vendor guarding release of some other utility companies (smart) meter data from yr house, to release the data (and rely on the Id tojen, for privacy audit puposes).

Just though I'd share some application domain information, this time based on doe agency folk bringing their govt reach to bear. Hard to say the us national Id initiative is not working...

Sent by Outlook for Android

general mailing list
general <at>
Mike Jones | 10 Sep 08:54 2015

[OpenID] OpenID Connect Back-Channel Logout Specification

A new back-channel OpenID Connect Logout spec has been published at  This can coexist with or be used instead of the front-channel-based Session Management and HTTP-Based Logout specifications.


The abstract for the new specification states:

This specification defines a logout mechanism that uses back-channel communication between the OP and RPs being logged out; this differs from front-channel logout mechanisms, which communicate logout requests from the OP to RPs via the User Agent.


This completes publication of the three planned OpenID Connect logout mechanisms:  two that communicate on the front-channel through the User Agent (browser) and this one that communicates on the back-channel, without involving the User Agent.  See the Introduction for a discussion of the upsides and downsides of the different logout approaches.  As much as we'd like there to be a single logout solution, both experience and extensive discussions led us to the conclusion that there isn't a feasible one-size-fits-all approach.


Reviews of the new (and existing!) specifications are welcomed.


Thanks to John Bradley, Pedro Felix, Nat Sakimura, Brian Campbell, and Todd Lainhart for their contributions to the creation of the specification.


                                                            -- Mike


P.S.  This note was also published at and as <at> selfissued.

general mailing list
general <at>
Dick Hardt | 6 Sep 21:52 2015

[OpenID] access to draft specifications?

Hi Don / Mike

I wanted to review the latest drafts of:

 Account Chooser WG
 Native Applications WG

But it does not look like there are any public, read only versions of those specifications.

Did I do something wrong in trying to get access?

I registered for the Oct 26 OpenID meeting. Do I have to be a member to attend?

-- Dick

general mailing list
general <at>
John Bradley | 2 Aug 23:33 2015

[OpenID] New iGov Working Group Charter proposal.

At the request of a number of Governments, some of whom have OpenID Connect deployments and others that are considering it, we propose to form a new OIDF Working group.

The goal is to have a common deployment profile that can be customized for the needs of both pubic and private sector deployments that require the higher levels of security that OpenID Connect can support.

"The purpose of this working group is to develop a security and privacy profile of the OpenID Connect specifications that allow users to authenticate and share consented attribute information with public sector services across the globe. The resulting profile will enable standardized integration with public sector relying parties in multiple jurisdictions. The profile will be applicable to, but not exclusively targeted at, identity broker-based implementations.

The fill draft charter is available at

Feedback and additional proposers are welcome.

John Bradley
general mailing list
general <at>
Peter Williams | 22 Jul 14:58 2015

Re: [OpenID] Lots of great data about JWT and OpenID Connect adoption!


Openid connect I do see as a distinct improvement, in the generic upper layer protocol stack. It goes beyond
being an application context of layer 5, 6 and 7-baseline security protocols  cooperating with the
insecure stack to protect telematic applications. It merges the security management plane with the
comsec plane, in interesting ways.

Not sure about jwt. Apart from changing the term cert to token, not really sure why its not just the latest
encoding of x509, with profiled extensions.

I wasn't too impressed with the aws to azure aad integration, supposedly an exemplary model of American
cloud integrations. Neither the saml nor connect integrations shine.   The Google and Microsoft hookups
do look strong though (and hint at the multi cloud break through (complementing docker compusec security models)).

I'd be happier with jwt if I saw it in such as Microsoft template projects whichtraditionally teach and
liberate. So far, jwt is absent, with os/machine tokens being minted when an websites own AS handles
grants, complementing its webapi endpoint support. Perhaps things will rev, though, as folks feel
comfortable letting the AS cease to be a controlled cloud vendor, social id related concept and become a
signed blob for all occasions.

Sent from my Windows Phone

-----Original Message-----
From: "Mike Jones" <Michael.Jones <at>>
Sent: ‎7/‎21/‎2015 3:30 PM
To: "openid-specs-ab <at>" <openid-specs-ab <at>>; "Matias Woloski" <matias <at>>
Cc: "openid-connect-interop <at>" <openid-connect-interop <at>>;
"openid-code <at>" <openid-code <at>>;
"openid-general <at>" <openid-general <at>>;
"specs <at>" <specs <at>>; "board <at>" <board <at>>
Subject: [OpenID] Lots of great data about JWT and OpenID Connect adoption!

Read and check out 
Very cool!

I posted about this at and as  <at> selfissued.

                                                            -- Mike

general mailing list
general <at>
Cal Heldenbrand | 23 Jun 19:57 2015

[OpenID] Discovery Endpoint CORS support?

Hi everyone,

I noticed when reading through the OIDC core spec, Section 4 has a blurb recommending CORS header support: 

The UserInfo Endpoint SHOULD support the use of Cross Origin Resource Sharing (CORS) [CORS] and or other methods as appropriate to enable Java Script Clients to access the endpoint.

But when I look through the Discovery document, there are no mentions of CORS support.  If an OP advertises the implicit flow in the metadata, shouldn't CORS support be a requirement in the specification?  Otherwise a js client will choke on an AJAX discovery request, and the whole process is busted unless the developer manually specifies the endpoints.

I ran into this when testing the Implicit flow against Google's discovery endpoint, and started down the rabbit hole of reading.  ;-)

Thank you!


Cal Heldenbrand
   Web Operations at FBS
   Creators of flexmls® and Spark Platform
   cal <at>
general mailing list
general <at>
Peter Williams | 4 Jun 17:57 2015

[OpenID] Realty adoption

Took 5 years (from my doing a demo of Microsoft clouds gatewaying to Google's and myopenid's op) but the us realty standards group just took a decision to rip out its custom oauth profile in a webapi spec in preference to citing openid connect.

Wow. Good chunk of US GDP just endorsed openid. Someone somewhere is doing something right.

Kudos to both Microsoft azure and amazon web service for tipping the modern argument (by making it impossible to deny how easy it now is, on many platforms.) Given the full history of this little success, should also commend the google team for actual inter vendor interoperability, from the outset.

Sent from my Windows Phone
general mailing list
general <at>