Authorization server issuers are HTTPS
Authored by Stanley Hong · AgentReserve (founder).
Every authorization server advertised by the protected resource metadata uses an HTTPS issuer URL with no userinfo, fragment, or query. RFC 8414 and OpenID Connect Discovery both require HTTPS issuers — anything else allows trivial token interception.
When this rule runs
Only applies when the server signals that authentication is required (HTTP 401/403). Excluded from the score on public servers.
Why it matters
An HTTP issuer means the entire OAuth flow can be intercepted by anything on the network path — the authorization request, the redirect, the token exchange, all in plaintext. This invalidates the security model of the rest of the flow.
Pass condition
Every observed issuer is a syntactically valid HTTPS URL with no userinfo, fragment, or query.
Fail condition
At least one observed issuer uses a non-HTTPS scheme or is otherwise malformed.
Evidence examples
When the rule fails, the report records evidence in roughly this shape:
{"invalidIssuers": ["http://issuer.example.com"]}
Remediation
Serve the authorization server over HTTPS, with an issuer URL that exactly matches the metadata document's `issuer` field.
Methodology
This rule belongs to the Auth discovery posture dimension. When authorization is required, whether the server cooperates with the standards-based discovery chain — RFC 9728 protected resource metadata, RFC 8414 authorization server metadata, validated issuers, and safe grant types.
Read the full methodology for how rules are aggregated into a score, how verdicts are decided, and how hard-fail rules override the aggregate.