[keycloak-dev] Invalid value for iss
Stian Thorgersen
stian at redhat.com
Wed Mar 25 10:17:23 EDT 2015
Yeah I know, but we're not going to be compliant unless we do. Also more fundamentally is the fact that the 'iss' value for tokens generated by different servers would be the same so given a token you can't actually know where's it from atm.
I'm happy to do the work, unless you've got some other strong arguments against changing it?
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Wednesday, 25 March, 2015 3:12:41 PM
> Subject: Re: [keycloak-dev] Invalid value for iss
>
> This requires changes to a lot of code. I started doing it once until I
> realized how many files I would have to change.
>
> On 3/25/2015 10:07 AM, Stian Thorgersen wrote:
> > According to the spec 'iss' should be:
> >
> > REQUIRED. Issuer Identifier for the Issuer of the response. The iss
> > value is a case sensitive URL using the https scheme that contains
> > scheme, host, and optionally, port number and path components and no
> > query or fragment components
> >
> > However, we only use realm name. As that's invalid according to the spec
> > (and also the same iss used for multiple KC servers) I propose we change
> > it to:
> >
> > <AUTH URL>/realms/<REALM-NAME>
> >
> > For example:
> >
> > http://localhost:8080/realms/master
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list