Actually I can only find 6 places that uses getIssuer in the code, one of which is
KeycloakSecurityContext.getRealm, but that can just be changed to return only the last bit
of issuer if we follow the proposed format.
----- Original Message -----
From: "Stian Thorgersen" <stian(a)redhat.com>
To: "Bill Burke" <bburke(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Wednesday, 25 March, 2015 3:17:23 PM
Subject: Re: [keycloak-dev] Invalid value for iss
Yeah I know, but we're not going to be compliant unless we do. Also more
fundamentally is the fact that the 'iss' value for tokens generated by
different servers would be the same so given a token you can't actually know
where's it from atm.
I'm happy to do the work, unless you've got some other strong arguments
against changing it?
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Wednesday, 25 March, 2015 3:12:41 PM
> Subject: Re: [keycloak-dev] Invalid value for iss
>
> This requires changes to a lot of code. I started doing it once until I
> realized how many files I would have to change.
>
> On 3/25/2015 10:07 AM, Stian Thorgersen wrote:
> > According to the spec 'iss' should be:
> >
> > REQUIRED. Issuer Identifier for the Issuer of the response. The iss
> > value is a case sensitive URL using the https scheme that contains
> > scheme, host, and optionally, port number and path components and no
> > query or fragment components
> >
> > However, we only use realm name. As that's invalid according to the spec
> > (and also the same iss used for multiple KC servers) I propose we change
> > it to:
> >
> > <AUTH URL>/realms/<REALM-NAME>
> >
> > For example:
> >
> >
http://localhost:8080/realms/master
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> >
https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
>
http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev