How well-known are those URIs though? :-\

eschatology 9 hours ago | parent | next [-]

I spent 10 minutes searching for one in the article, in the RFC, in the wikipedia page, on google, to search for a .well-known example. Couldn't find one.

I did read one before while working with github oidc, and I did find it very useful.

What is it with technical documentations that go deep describing what it is in plenty words but refusing to give a single example? This far from the first case I've ran into either.

	▲	deathanatos 2 hours ago \| parent \| next [-]
		> I spent 10 minutes searching for one in the article, in the RFC, in the wikipedia page, on google, to search for a .well-known example. Couldn't find one. I don't know how that can be, since you claim to have found the RFC; the RFC straight-forwardly states, > 5. IANA Considerations > This specification updates the registration procedures for the "Well-Known URI" registry, first defined in [RFC5785]; see Section 3.1. & then of course directs IANA to establish a registry. We'd expect this section, given the very nature of the RFC is that it establishes a collection of things, so that there is an IANA considerations section should be wholly unsurprising… If you see the linked section… > The "Well-Known URIs" registry is located at <https://www.iana.org/assignments/well-known-uris/>. And there's a link to a listing of every standardized .well-known URI there is. > What is it with technical documentations that go deep describing what it is in plenty words but refusing to give a single example? The RFC provides an example in the form of "example", but also in the form of "robots.txt" (as a "it could have used this, had this existed", but what else could it have done?).
	▲	hahajk 4 hours ago \| parent \| prev [-]
		I've been setting up some federated servers (Matrix, activitypub) and I ran into .well_known/ paths in many of them. Webfinger resolver for activitypub and a more custom matrix server-to-server federation endpoint.

▲

ano-ther 8 hours ago | parent | prev | next [-]

They are collected at this registry: https://www.iana.org/assignments/well-known-uris/well-known-...

	▲	einpoklum an hour ago \| parent [-]
		Are they actually, though?

▲

reddalo 9 hours ago | parent | prev | next [-]

There's an interesting list on Wikipedia: https://en.wikipedia.org/wiki/Well-known_URI#List_of_well-kn...

▲

eschatology 9 hours ago | parent [-]

Not one of them links to the actual well-known resource, only pdf specifications. And several I picked randomly leads to dead ends.

Here's one I could find: https://accounts.google.com/.well-known/openid-configuration

But how does one even find this?

▲

masklinn 8 hours ago | parent [-]

well-known is for programmatic access, it either namespaces something you’re told to look for (e.g. various types of domain markers) or it lets you discover a feature / endpoint.

In the latter case you just probe, for instance if you’re a password manager and you have a password for site A you hit A/.well-known/change-password and if they returns something you can surface a change password link to your user.

The one you found is for OIDC provider discovery (https://openid.net/specs/openid-connect-discovery-1_0.html#P...) so someone tells you they want to log in via Google, you hit that endpoint, and it lets you setup Google as an oidc provider rather without needing to hard-code providers. Even if you just want to support Google as a provider, you hit that and you get the entire configuration rather than have to hunt down the same information in the docs.

▲

eschatology 7 hours ago | parent [-]

Thank you, that it is part of OIDC provider discovery spec explains a lot.

That said, I still find it very bizzare that it's so hard to find a tangible example to see how it is in practice.

The rfc has none. Another spec including the use of it has none. In the end only completed service provider/implementers show it.

Before programmatic access happens, it needs to be written by a human. Yet the whole thing feels so human-unfriendly.

Perhaps I am biased robots.txt sets a high bar on how easy it is to find and work with?

▲

masklinn 7 hours ago | parent [-]

What RFC? The oidc discovery spec has an example, and for change-password it’s just a redirect. RFC 8615 is about the existence and management of the .well-know namespace, so examples don’t really make sense.

	▲	hparadiz 6 hours ago \| parent [-]
		A JWKS is defined at /.well-known/jwks.json It's a JSON array of public keys which you can use to validate a JWT which is what an OIDC token is. Making it an array means you can rotate keys whenever but the validator is typically caching the public keys. https://www.hanko.io/blog/understanding-jwks Actually... found it https://datatracker.ietf.org/doc/html/rfc6749 And here's a PHP implementation that is perfect. https://github.com/thephpleague/oauth2-client

▲

Joker_vD 2 hours ago | parent | prev | next [-]

Slightly less well-known than XDG directories among the developers of Linux-targeted software, it would seem.

Seriously, what an oxymoronic name. "/index.html" is a well known URL, literally: most of web-developers are aware of it. But inventing a bunch of URLs with predefined semantics and then slapping the "well-known" label on it... well, it won't magically make them actually well-known.

▲

timwis 9 hours ago | parent | prev [-]

I agree. I was hoping for a few positive examples, but didn't see any. The only one I know of is the OIDC discovery endpoint.

▲

asdfasdfadsfs 8 hours ago | parent | next [-]

I would say acme-challenge is one of the most used ones. How else would one get SSL certificates today

▲

echoangle 8 hours ago | parent [-]

DNS TXT challenge for example. Also better because you can get wildcard certs.

▲

ameliaquining a minute ago | parent | next [-]

The great virtue of the in-band challenge types is that web servers can just handle them out of the box, without any need for a separate setup step that depends on your stack. I think this has done a heck of a lot to increase adoption of HTTPS.

▲

sureglymop 4 hours ago | parent | prev [-]

Also, DNS-PERSIST-01 seems to be coming soon for Let's Encrypt, which should allow even people that can't easily dynamically update their DNS records to get wildcard certs. I assume this might become more widely used than HTTP-01 challenges.

	▲	inigyou 2 hours ago \| parent [-]
		I wish someone would write a blog post about the difference between DNS registrars and DNS hosts, because I've seen people assume they need to use a registrar that has an API in order to change their DNS records programmatically. I used to assume that too.

▲

pstoev 7 hours ago | parent | prev [-]

Another one that is emerging is the A2A agent card https://a2a-protocol.org/latest/topics/agent-discovery/#1-we...