Issuers in OA4MP

The open id connect specification requires an issuer, that is to say, the URL of the server that has created or issued the ID token. This is used in server discovery by taking

 issuer + /.well-known/openid-configuration

and examining the returned JSON object to get such things as signing keys, scopes supported and possible claims.

There is a hierarchy for resolving which issuer will be returned with a request, this is

  • The client explicitly has an issuer set.
  • The administrative client has an issuer set, but the client does not (so all clients administered have this same issuer unless overridden.)
  • The server has a globally set issuer in its configuration.
  • With no issuer set, the default is to use the server address plus the servlet path as found in the HTTP GET request.

Since servers may, for instance, be part of a load balancing system, the actual machine name for the machine is usually a very poor choice for the issuer. Explicitly setting the issuer means that it must be resolvable by a client for server discovery. This is one reason to set the issuer. Another might be for having specific keys used in signing (the server must have access to these and know to use them, of course), however, the issuer must be resolvable as an web address and respond to server discovery.