From 2d7d5d168e89d5b46b1a245a39c432e53dfbf951 Mon Sep 17 00:00:00 2001 From: rohanharikr Date: Mon, 27 Apr 2026 17:22:43 +0100 Subject: [PATCH] Discovery: follow same-eTLD+1 redirects when fetching metadata MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Defines redirect-handling behavior for metadata fetches: - MUST follow redirects within the same eTLD+1 - SHOULD NOT follow redirects across eTLD+1 boundaries - Validation (issuer match, iss claim) is performed against the post-redirect URL Allows deployments where the user-facing entry point and the canonical metadata host differ within the same registrable domain (e.g. hello.coop → person.hello.coop). Either URL can serve as a valid discovery entry point. Closes #14 --- draft-hardt-aauth-protocol.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/draft-hardt-aauth-protocol.md b/draft-hardt-aauth-protocol.md index 32d7e24..26c76af 100644 --- a/draft-hardt-aauth-protocol.md +++ b/draft-hardt-aauth-protocol.md @@ -2120,6 +2120,14 @@ The `jwks_uri`, `tos_uri`, `policy_uri`, `logo_uri`, and `logo_dark_uri` values Participants publish metadata at well-known URLs ([@!RFC8615]) to enable discovery. +### Following Redirects {#metadata-redirects} + +When fetching a metadata document, implementations MUST follow HTTP redirects ([@!RFC9110], Section 15.4) to a target host within the same effective top-level domain plus one (eTLD+1) as the original URL. Implementations SHOULD NOT follow redirects to a different eTLD+1. + +This permits a deployment where the user-facing entry point and the canonical metadata host differ within the same registrable domain. For example, `https://example.com/.well-known/aauth-person.json` MAY redirect to `https://person.example.com/.well-known/aauth-person.json`, allowing either URL to serve as a valid discovery entry point. + +When a redirect has been followed, validation of the metadata document is performed against the **final** URL (after redirects), not the original. In particular, the `issuer` value in the document MUST match the post-redirect URL minus the `/.well-known/{dwk}` suffix. The `iss` claim in tokens issued by the server is also the post-redirect URL. + ### Agent Server Metadata Published at `/.well-known/aauth-agent.json`: