I'm trying to use the oic library to authenticate with Google OpenID Connect, and get an error
oic.exception.IssuerMismatch: 'https://accounts.google.com' != 'accounts.google.com'
when running
from oic.oic.consumer import Consumer
db={}
config={}
c=Consumer(db, config)
print c.provider_config('https://accounts.google.com')
It tries accessing https://accounts.google.com/.well-known/openid-configuration, which says
"issuer": "accounts.google.com",
Now, the specification seems to suggest that this is incorrect:
issuer: REQUIRED. URL using the https scheme with no query or fragment component
Am I correctly interpreting the situation that this is an error in Google's OpenID connect configuration? Where should I report this error to?
(Note: I'm not looking for a work-around, which would be easy enough: I can just skip provider config discovery and hard-code the discovered information. But I want to support arbitrary OpenID Connect providers, not just Google)
Google's OpenID Connect implementation does indeed not conform to that part of the spec. Google has implemented the OpenID Connect (-like) protocol before the spec was finished and in the mean time some of their RPs have become dependent on that identifier. Modifying it would be a breaking change for those RPs and Google has chosen not to to that, at least for now.
Some OpenID Connect implementations indeed make an exception for Google, others try to generalize this behavior by adding a "https://" prefix to any OP issuer identifier that does not start with it, some don't even check it because they don't implement Discovery related features. Pick whatever you like best.