Discover OpenID Connect Provider Issuer

Question

In the OpenID Connect Discovery 1.0 spec, section User Input using E-Mail Address Syntax they have this example:

  GET /.well-known/webfinger
    ?resource=acct%3Ajoe%40example.com
    &rel=http%3A%2F%2Fopenid.net%2Fspecs%2Fconnect%2F1.0%2Fissuer
    HTTP/1.1
  Host: example.com

  HTTP/1.1 200 OK
  Content-Type: application/jrd+json

  {
   "subject": "acct:joe@example.com",
   "links":
    [
     {
      "rel": "http://openid.net/specs/connect/1.0/issuer",
      "href": "https://server.example.com"
     }
    ]
  }

I tried

curl -GLv http://yahoo.com/.well-known/webfinger \
    --data-urlencode "resource=acct:myrealname@yahoo.com" \
    --data-urlencode "rel=http://openid.net/specs/connect/1.0/issuer"

I also tried

curl -GLv http://gmail.com/.well-known/webfinger \
    --data-urlencode "resource=acct:myrealname@gmail.com" \
    --data-urlencode "rel=http://openid.net/specs/connect/1.0/issuer"

among a few. But all I get is 404 Not Found.

Maybe I'm doing something wrong, or there might be no place on the Internet that will actually return the 200 OK shown in the example above.

My question is, given an OpenID (I mean what the user types here

enter image description here

), how do you determine where the OpenID Provider Issuer is? In other words, if I want to allow logins via OpenId Connect, do I have to keep my own map from OpenID patterns to OpenID issuers?

score 2 · Answer 1 · answered Dec 08 '14 at 07:43

2

OpenID Connect is different from OpenID 2.0. Yahoo supports OpenID 2.0 but does not support OpenID Connect + Discovery yet, hence the 404. Here's a place on the internet that returns 200 OK:

curl -GLv https://seed.gluu.org/.well-known/webfinger \
    --data-urlencode "resource=acct:mike@seed.gluu.org" \
    --data-urlencode "rel=http://openid.net/specs/connect/1.0/issuer"

answered Dec 08 '14 at 07:43

Hans Z.

50,496
12
102
115

It works! Now, since this seems to be the only place that implements OpenId Connect Discovery, how am I supposed to handle discovery? My own lookup table? – Ed I Dec 08 '14 at 17:25
2

one can implement a functional OpenID Connect Discovery without the webfinger part: just ask the user for a domain name instead of an accountname/username and pull OpenID Connect metadata directly from https:///.well-known/openid-configuration; there are quite a number of OpenID Connect implementations that conform to this; this is less flexible wrt. binding between users and domains and the user should know the domain for the OP which makes it harder; e.g. for selecting Google one would have to enter "accounts.google.com"; you could offer the big consumer OPs in a dropdown menu – Hans Z. Dec 08 '14 at 19:50

score 1 · Answer 2 · answered Dec 08 '14 at 20:14

The WebFinger spec is relatively new and OpenID Connect is even newer, so neither is widely deployed, yet. You can get info from my personal account:

$ curl https://packetizer.com/.well-known/webfinger?resource=acct%3Apaulej%40packetizer.com

I do not have OpenID Connect implemented (yet), but ping me if you want to test with general WebFinger queries. I can have my server emit anything you want to test.

Discover OpenID Connect Provider Issuer

2 Answers2