CODEWITHSUNDEEP
restoauth-2.0openidopenid-connectwebfinger
Ed I
Ed I

Reputation: 7358

Discover OpenID Connect Provider Issuer

In the OpenID Connect Discovery 1.0 spec, section User Input using E-Mail Address Syntax they have this example:

  GET /.well-known/webfinger
    ?resource=acct%3Ajoe%40example.com
    &rel=http%3A%2F%2Fopenid.net%2Fspecs%2Fconnect%2F1.0%2Fissuer
    HTTP/1.1
  Host: example.com

  HTTP/1.1 200 OK
  Content-Type: application/jrd+json

  {
   "subject": "acct:[email protected]",
   "links":
    [
     {
      "rel": "http://openid.net/specs/connect/1.0/issuer",
      "href": "https://server.example.com"
     }
    ]
  }

I tried

curl -GLv http://yahoo.com/.well-known/webfinger \
    --data-urlencode "resource=acct:[email protected]" \
    --data-urlencode "rel=http://openid.net/specs/connect/1.0/issuer"

I also tried

curl -GLv http://gmail.com/.well-known/webfinger \
    --data-urlencode "resource=acct:[email protected]" \
    --data-urlencode "rel=http://openid.net/specs/connect/1.0/issuer"

among a few. But all I get is 404 Not Found.

Maybe I'm doing something wrong, or there might be no place on the Internet that will actually return the 200 OK shown in the example above.

My question is, given an OpenID (I mean what the user types here

enter image description here

), how do you determine where the OpenID Provider Issuer is? In other words, if I want to allow logins via OpenId Connect, do I have to keep my own map from OpenID patterns to OpenID issuers?

Upvotes: 4

Views: 1248

Answers (2)

paulej
paulej

Reputation: 104

The WebFinger spec is relatively new and OpenID Connect is even newer, so neither is widely deployed, yet. You can get info from my personal account:

$ curl https://packetizer.com/.well-known/webfinger?resource=acct%3Apaulej%40packetizer.com

I do not have OpenID Connect implemented (yet), but ping me if you want to test with general WebFinger queries. I can have my server emit anything you want to test.

Upvotes: 1

Hans Z.
Hans Z.

Reputation: 53928

OpenID Connect is different from OpenID 2.0. Yahoo supports OpenID 2.0 but does not support OpenID Connect + Discovery yet, hence the 404. Here's a place on the internet that returns 200 OK:

curl -GLv https://seed.gluu.org/.well-known/webfinger \
    --data-urlencode "resource=acct:[email protected]" \
    --data-urlencode "rel=http://openid.net/specs/connect/1.0/issuer"

Upvotes: 2

Related Questions