To make it short:
How exactly does an "Self-Issued OpenID Provider" differentiate from a “normal OpenID Provider” (lets say google) ?
I read the specification which just says :
"OpenID Connect supports Self-Issued OpenID Providers - personal, self-hosted OPs that issue self-signed ID Tokens. Self-Issued OPs use the special Issuer Identifier https://self-issued.me.“
So I understand that an „Self-Issued OpenID Provider” can be hosted by myself, and signs the the ID Tokens.
Is the difference that the Tokens from the “normal OpenID Provider” are signed with an certificate which is trusted (e.g. because it's signed by a root CA certificate which is already in the certificate store), and can be validated without the need of sending the public-key within the response ?
Eventually somebody can clarify this, I would appreciate it much.
Thanks in advance and best regards !
How exactly does an "Self-Issued OpenID Provider" differentiate from a “normal OpenID Provider” (lets say google)?
A normal provider such as Google, is available at an HTTP endpoint. Requests to normal providers use the http:// protocol.
A self-issued provider is usually installed on the end-user's device. Requests to self-issued providers use the openid:// protocol.
For example, on an Android device, Google Chrome could act as a self-issued provider, because the end-user has signed into his Android device, and Google Chrome probably has access to the end-user's identity.
From the spec:
Self Issued Provider is a personal OP that typically runs on a deviced owned by the user. OpenID Connect - Part 5: Self Issued Provider