http - 如何使用 OpenID Connect WebFinger 端点？

Question

阅读description here它说:

WebFinger — Enables dynamic discovery of the OpenID Connect provider for a given user, based on their email address or some other information.

谁能举例说明这是如何工作的(描述有些抽象)？

Answer 1

WebFinger 是在 RFC7033 中定义的协议(protocol). section 3.1 中有一个完整的示例:

3.1. Identity Provider Discovery for OpenID Connect

Suppose Carol wishes to authenticate with a web site she visits usingOpenID Connect. She would provide the web site with her OpenIDConnect identifier, say carol@example.com. The visited web sitewould perform a WebFinger query looking for the OpenID Connectprovider. Since the site is interested in only one particular linkrelation, the WebFinger resource might utilize the "rel" parameter asdescribed in Section 4.3:

GET /.well-known/webfinger?

        resource=acct%3Acarol%40example.com&
        rel=http%3A%2F%2Fopenid.net%2Fspecs%2Fconnect%2F1.0%2Fissuer
        HTTP/1.1
 Host: example.com

The server might respond like this:

HTTP/1.1 200 OK

 Access-Control-Allow-Origin: *
 Content-Type: application/jrd+json

{

   "subject" : "acct:carol@example.com",
   "links" :
   [
     {
       "rel" : "http://openid.net/specs/connect/1.0/issuer",
       "href" : "https://openid.example.com"
     }
   ]
 }

Since the "rel" parameter only serves to filter the link relationsreturned by the resource, other name/value pairs in the response,including any aliases or properties, would be returned. Also, sincesupport for the "rel" parameter is not guaranteed, the client mustnot assume the "links" array will contain only the requested linkrelation.