In the OpenID Connect Discovery 1.0 spec, section User Input using E-Mail Address Syntax they have this example:
GET /.well-known/webfinger
?resource=acct%3Ajoe%40example.com
&rel=http%3A%2F%2Fopenid.net%2Fspecs%2Fconnect%2F1.0%2Fissuer
HTTP/1.1
Host: example.com
HTTP/1.1 200 OK
Content-Type: application/jrd+json
{
"subject": "acct:[email protected]",
"links":
[
{
"rel": "http://openid.net/specs/connect/1.0/issuer",
"href": "https://server.example.com"
}
]
}
I tried
curl -GLv http://yahoo.com/.well-known/webfinger \
--data-urlencode "resource=acct:[email protected]" \
--data-urlencode "rel=http://openid.net/specs/connect/1.0/issuer"
I also tried
curl -GLv http://gmail.com/.well-known/webfinger \
--data-urlencode "resource=acct:[email protected]" \
--data-urlencode "rel=http://openid.net/specs/connect/1.0/issuer"
among a few. But all I get is 404 Not Found.
Maybe I'm doing something wrong, or there might be no place on the Internet that will actually return the 200 OK shown in the example above.
My question is, given an OpenID (I mean what the user types here
), how do you determine where the OpenID Provider Issuer is? In other words, if I want to allow logins via OpenId Connect, do I have to keep my own map from OpenID patterns to OpenID issuers?
OpenID Connect is different from OpenID 2.0. Yahoo supports OpenID 2.0 but does not support OpenID Connect + Discovery yet, hence the 404. Here's a place on the internet that returns 200 OK: