Spec alignment - OpenID Provider Configuration and issuer value

[nils-work]

Description

The location of the OpenID Provider Configuration of the Register is specified in the Standards as -
https://api.cdr.gov.au/idp/.well-known/openid-configuration

As noted in previous comments, and according to OpenID Connect Discovery, specifically Obtaining OpenID Provider Configuration Information:

OpenID Providers supporting Discovery MUST make a JSON document available at the path formed by concatenating the string /.well-known/openid-configuration to the Issuer.

The issuer value in the Register configuration is https://secure.api.cdr.gov.au/idp which does not align to that requirement.

The inclusion of a path component (/idp) in the issuer value appears to be valid according to the following statements:

Using path components enables supporting multiple issuers per host. This is required in some multi-tenant hosting configurations. This use of .well-known is for supporting multiple issuers per host; unlike its use in RFC 5785 [RFC5785], it does not provide general information about the host.

OpenID Provider Configuration Validation also states:

The issuer value returned MUST be identical to the Issuer URL that was used as the prefix to /.well-known/openid-configuration to retrieve the configuration information. This MUST also be identical to the iss Claim value in ID Tokens issued from this Issuer.

Intention and Value of Change

To ensure the Standards and Register are aligned to upstream specifications, or note any divergence.

Area Affected

• Get OpenId Provider Config
• Known Issues

Change Proposed

Options to be discussed, e.g.

1. Note the misalignment as a Known issue (until resolved, if applicable).
2. Change the issuer value of the Register to align to its well-known location, according to OIDC specifications.
3. Change both the well-known location and issuer so they are aligned.