[1] : openid-connect-registration-1_0-d16.txt | [2] : openid-connect-registration-1_0-d17.txt 00001 | ||00001 | 00002 | ||00002 | 00003 | ||00003 | 00004 |Draft ||00004 |Draft 00005 | ||00005 | 00006 | ||00006 | 00007 | ||00007 | 00008 | ||00008 | 00009 | ||00009 | 00010 L| ||00010 R| 00011 | ||00011 | 00012 | ||00012 | 00013 L| OpenID Connect Dynamic Client Registration ||00013 R| OpenID Connect Dynamic Client Registration 1.0 - 00014 | ||00014 | 00015 |Abstract ||00015 |Abstract 00016 | ||00016 | 00017 | OpenID Connect 1.0 is a simple identity layer o||00017 | OpenID Connect 1.0 is a simple identity layer o 00018 | protocol. It allows Clients to verify the iden||00018 | protocol. It allows Clients to verify the iden 00019 | based on the authentication performed by an Aut||00019 | based on the authentication performed by an Aut 00020 | well as to obtain basic profile information abo||00020 | well as to obtain basic profile information abo 00021 | interoperable and REST-like manner. ||00021 | interoperable and REST-like manner. 00022 | ||00022 | 00023 | This specification describes how an OpenID Clie||00023 | This specification describes how an OpenID Clie 00024 | necessary client credentials required by the Op||00024 | necessary client credentials required by the Op 00025 | suite. ||00025 | suite. 00026 | ||00026 | 00027 | ||00027 | 00028 |Table of Contents ||00028 |Table of Contents 00029 | ||00029 | 00030 | 1. Introduction ||00030 | 1. Introduction 00031 | 1.1. Requirements Notation and Conventions ||00031 | 1.1. Requirements Notation and Conventions 00032 L| 1.2. Terminology ||00032 R| 2. Terminology 00033 L| 2. Client Registration Endpoint ||00033 R| 3. Client Registration 00034 L| 2.1. Client Registration and Client Update R||00034 R| 3.1. Client Registration Request 00035 L| 2.1.1. "sector_identifier_url" Validation ||00035 R| 3.2. Client Registration Response 00036 L| 2.2. Client Registration Response ||00036 R| 4. Client Read 00037 L| 2.2.1. Client Register Operation Response ||00037 R| 4.1. Client Read Request 00038 L| 2.2.2. Rotate Secret Operation Response ||00038 R| 4.2. Client Read Response 00039 L| 2.2.3. Client Update Operation Response ||00039 R| 5. Client Update 00040 L| 2.3. Client Registration Error Response ||00040 R| 5.1. Client Update Request 00041 L| 3. String Operations ||00041 R| 5.2. Client Update Response 00042 L| 4. Validation ||00042 R| 6. Cleint Delete 00043 L| 5. Implementation Considerations ||00043 R| 6.1. Client Delete Request 00044 L| 6. Security Considerations ||00044 R| 6.2. Client Delete Response 00045 L| 6.1. TLS Requirements ||00045 R| 7. Client Registration Error Response 00046 L| 7. IANA Considerations ||00046 R| 8. "sector_identifier_url" Validation 00047 L| 8. References ||00047 R| 9. String Operations 00048 L| 8.1. Normative References ||00048 R| 10. Validation 00049 L| 8.2. Informative References ||00049 R| 11. Implementation Considerations | ||00050 R| 12. Security Considerations | ||00051 R| 12.1. TLS Requirements | ||00052 R| 13. Privacy Considerations | ||00053 R| 14. IANA Considerations | ||00054 R| 15. References | ||00055 R| 15.1. Normative References | ||00056 R| 15.2. Informative References 00050 | Appendix A. Acknowledgements ||00057 | Appendix A. Acknowledgements 00051 | Appendix B. Notices ||00058 | Appendix B. Notices 00052 | Appendix C. Document History ||00059 | Appendix C. Document History 00053 | Authors' Addresses ||00060 | Authors' Addresses 00054 | ||00061 | 00055 | ||00062 | 00056 |1. Introduction ||00063 |1. Introduction 00057 | ||00064 | 00058 | In order for an OpenID Connect Client to utiliz||00065 | In order for an OpenID Connect Client to utiliz 00059 | a user, the Client needs to register with the O||00066 | a user, the Client needs to register with the O 00060 | acquire a Client ID and shared secret. This do||00067 | acquire a Client ID and shared secret. This do 00061 | new Client can register with the provider, and ||00068 | new Client can register with the provider, and 00062 | in possession of a "client_id" can retrieve upd||00069 | in possession of a "client_id" can retrieve upd 00063 | information. ||00070 | information. 00064 | ||00071 | 00065 | The Client Registration Endpoint may be co-resi||00072 | The Client Registration Endpoint may be co-resi 00066 | endpoint as an optimization in some deployments||00073 | endpoint as an optimization in some deployments 00067 | ||00074 | 00068 | Note: This specification will likely be modifie||00075 | Note: This specification will likely be modifie 00069 | Dynamic Client Registration Protocol [I-D.ietf-||00076 | Dynamic Client Registration Protocol [I-D.ietf- 00070 | the OAuth registration draft is stable. While ||00077 | the OAuth registration draft is stable. While 00071 | contained, this specification intentionally use||00078 | contained, this specification intentionally use 00072 | identifiers as the current version of the OAuth||00079 | identifiers as the current version of the OAuth 00073 | of the time that this specification was last up||00080 | of the time that this specification was last up 00074 | ||00081 | 00075 |1.1. Requirements Notation and Conventions ||00082 |1.1. Requirements Notation and Conventions 00076 | ||00083 | 00077 | The key words "MUST", "MUST NOT", "REQUIRED", "||00084 | The key words "MUST", "MUST NOT", "REQUIRED", " 00078 | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", a||00085 | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", a 00079 | document are to be interpreted as described in ||00086 | document are to be interpreted as described in 00080 | ||00087 | 00081 | Throughout this document, values are quoted to ||00088 | Throughout this document, values are quoted to 00082 | to be taken literally. When using these values||00089 | to be taken literally. When using these values 00083 | the quotes MUST NOT be used as part of the valu||00090 | the quotes MUST NOT be used as part of the valu 00084 | ||00091 | 00085 L|1.2. Terminology ||00092 R| | ||00093 R|2. Terminology 00086 | ||00094 | 00087 | This specification uses the terms "Access Token||00095 | This specification uses the terms "Access Token 00088 | "Authorization Code", "Authorization Grant", "A||00096 | "Authorization Code", "Authorization Grant", "A 00089 | "Authorization Endpoint", "Client", "Client Ide||00097 | "Authorization Endpoint", "Client", "Client Ide 00090 | Secret", "Protected Resource", "Resource Owner"||00098 | Secret", "Protected Resource", "Resource Owner" 00091 | and "Token Endpoint" defined by OAuth 2.0 [RFC6||00099 | and "Token Endpoint" defined by OAuth 2.0 [RFC6 00092 L| defined by OpenID Connect Messages 1.0 [OpenID.||00100 R| defined by OpenID Connect Messages 1.0 [OpenID. 00093 L| no additional terms. ||00101 R| 00094 L| ||00102 R| This specification defines the following additi 00095 L| ||00103 R| 00096 L|2. Client Registration Endpoint ||00104 R| Client Registration Endpoint OAuth 2.0 Protect | ||00105 R| which a Client can request new registration | ||00106 R| metadata associated with it | ||00107 R| | ||00108 R| Registration Access Token OAuth 2.0 Bearer Tok | ||00109 R| Authorization Server through the Client Regi | ||00110 R| which is used by the Client to authenticate | ||00111 R| and secret rotation operations | ||00112 R| | ||00113 R| Self URL URL of an OAuth Bearer token protecte | ||00114 R| the client registration data may be obtained | ||00115 R| | ||00116 R| | ||00117 R|3. Client Registration 00097 | ||00118 | 00098 | The Client Registration Endpoint is an OAuth 2.||00119 | The Client Registration Endpoint is an OAuth 2. 00099 L| that returns registration information for the C||00120 R| through which a Client can request new registra 00100 L| itself for the OpenID Provider. The OpenID Pro||00121 R| metadata associated with it. The OpenID Provid 00101 | Access Token that is provisioned out-of-band (i||00122 | Access Token that is provisioned out-of-band (i 00102 | of scope for this specification) in order to re||00123 | of scope for this specification) in order to re 00103 | requests to only authorized Clients. ||00124 | requests to only authorized Clients. 00104 | ||00125 | 00105 | In order to support open registration, the Clie||00126 | In order to support open registration, the Clie 00106 | Endpoint SHOULD accept requests without OAuth 2||00127 | Endpoint SHOULD accept requests without OAuth 2 00107 | an Access Token is required for Client registra||00128 | an Access Token is required for Client registra 00108 | Registration Endpoint MUST be able to accept Ac||00129 | Registration Endpoint MUST be able to accept Ac 00109 | manner described in the OAuth 2.0 Bearer Token ||00130 | manner described in the OAuth 2.0 Bearer Token 00110 | specification. ||00131 | specification. 00111 | ||00132 | 00112 L|2.1. Client Registration and Client Update Reques||00133 R|3.1. Client Registration Request 00113 | ||00134 | 00114 L| Client Update Requests replace all previous par||00135 R| To register a new client to the Authorization S 00115 L| "client_id". ||00136 R| sends HTTP POST messages to the Client Registra 00116 L| ||00137 R| parameters described below, which is called Cli 00117 L| Clients MUST send requests encoded as a POST wi||00138 R| are encoded in the entity body as UTF-8 strings 00118 L| parameters added to the HTTP request entity-bod||00139 R| "application/x-www-form-urlencoded" format. Th 00119 L| x-www-form-urlencoded" format: ||00140 R| assigns this client a unique Client Identifier, 00120 L| ||00141 R| Client Secret, and associates the metadata give 00121 L| operation REQUIRED. Registration operation be||00142 R| the issued Client Identifier. The Authorizatio 00122 L| are "client_register" (for new registrations||00143 R| default values for any items omitted in the Cli 00123 L| request rotation of the "client_secret", and||00144 R| 00124 L| updating parameters of an existing "client_i||00145 R| _[[Editor's Note (Nat): Why do we want it to be 00125 L| "rotate_secret" is used no optional paramete||00146 R| There are so many of them and it is easier to d 00126 L| "access_token" may be included in the reques||00147 R| Accept: application/json and Content-Type: appl | ||00148 R| SCIM? There are several advantages on it. (1) | ||00149 R| encode the non-ascii strings. (2) it can be eas | ||00150 R| a big change, but if we want to do it, we have 00127 | ||00151 | 00128 | redirect_uris REQUIRED. Space-delimited list ||00152 | redirect_uris REQUIRED. Space-delimited list 00129 | of the URL MUST match the Scheme, Host, and ||00153 | of the URL MUST match the Scheme, Host, and 00130 | "redirect_uri" in the authorization request.||00154 | "redirect_uri" in the authorization request. 00131 | ||00155 | 00132 | application_type OPTIONAL. Kind of the applic||00156 | application_type OPTIONAL. Kind of the applic 00133 | not specified is "web". The defined values ||00157 | not specified is "web". The defined values 00134 | Web clients MUST only register URLs using th||00158 | Web clients MUST only register URLs using th 00135 | "redirect_uris"; they MAY NOT use "localhost||00159 | "redirect_uris"; they MAY NOT use "localhost 00136 | Native clients MUST only register "redirect_||00160 | Native clients MUST only register "redirect_ 00137 | schemes or URLs using the "http:" scheme wit||00161 | schemes or URLs using the "http:" scheme wit 00138 | hostname. Authorization Servers may place a||00162 | hostname. Authorization Servers may place a 00139 | on Native clients. The Authorization server||00163 | on Native clients. The Authorization server 00140 | the registered "redirect_uris" conform to th||00164 | the registered "redirect_uris" conform to th 00141 | prevents sharing a Client ID across differen||00165 | prevents sharing a Client ID across differen 00142 | ||00166 | 00143 L| access_token OPTIONAL. If this is a "client_r||00167 R| access_token OPTIONAL. Access Token obtained 00144 L| is an Access Token obtained out of band to a||00168 R| authorize the registrant. This parameter MU 00145 L| registrant. If this is a "client_update" or||00169 R| Access Token is sent in the HTTP Authorizati 00146 L| request, this is the "registration_access_to||00170 R| in Section 7.1 of OAuth 2.0 [RFC6749]. Acce 00147 L| "client_register" or "rotate_secret" respons||00171 R| authorization header must be bearer tokens [ 00148 L| MUST NOT be sent if the Access Token is sent|| | 00149 L| Authorization header as described in Section|| | 00150 L| [RFC6749]. Access Tokens sent in the author|| | 00151 L| bearer tokens [RFC6750]. || | 00152 | ||00172 | 00153 | contacts OPTIONAL. Space delimited list of e-||00173 | contacts OPTIONAL. Space delimited list of e- 00154 | people allowed to administer the information||00174 | people allowed to administer the information 00155 | This is used by some providers to enable a w||00175 | This is used by some providers to enable a w 00156 | Client information. ||00176 | Client information. 00157 | ||00177 | 00158 | client_name OPTIONAL. Name of the Client to b||00178 | client_name OPTIONAL. Name of the Client to b 00159 | user. If desired, representation of this cl||00179 | user. If desired, representation of this cl 00160 | languages and scripts is obtained by applyin||00180 | languages and scripts is obtained by applyin 00161 | Section 2.1.1.1.3 ("claims" member) of OpenI||00181 | Section 2.1.1.1.3 ("claims" member) of OpenI 00162 | [OpenID.Messages]. ||00182 | [OpenID.Messages]. 00163 | ||00183 | 00164 | logo_url OPTIONAL. URL that references a logo||00184 | logo_url OPTIONAL. URL that references a logo 00165 | application. ||00185 | application. 00166 | ||00186 | 00167 | token_endpoint_auth_method OPTIONAL. Requeste||00187 | token_endpoint_auth_method OPTIONAL. Requeste 00168 | method for the Token Endpoint. The options ||00188 | method for the Token Endpoint. The options 00169 | "client_secret_post", "client_secret_basic",||00189 | "client_secret_post", "client_secret_basic", 00170 | and "private_key_jwt", as described in Secti||00190 | and "private_key_jwt", as described in Secti 00171 | Connect Messages 1.0 [OpenID.Messages]. Oth||00191 | Connect Messages 1.0 [OpenID.Messages]. Oth 00172 | methods may be defined by extension. If uns||00192 | methods may be defined by extension. If uns 00173 | the default is "client_secret_basic" HTTP Ba||00193 | the default is "client_secret_basic" HTTP Ba 00174 | Scheme as specified in Section 2.3.1 of OAut||00194 | Scheme as specified in Section 2.3.1 of OAut 00175 | ||00195 | 00176 | policy_url OPTIONAL. URL location that the Re||00196 | policy_url OPTIONAL. URL location that the Re 00177 | provides to the End-User to read about the h||00197 | provides to the End-User to read about the h 00178 | will be used. The OpenID Provider SHOULD di||00198 | will be used. The OpenID Provider SHOULD di 00179 | End-User if it is given. ||00199 | End-User if it is given. 00180 | ||00200 | 00181 | tos_url OPTIONAL. URL location that the Relyi||00201 | tos_url OPTIONAL. URL location that the Relyi 00182 | provides to the End-User to read about the R||00202 | provides to the End-User to read about the R 00183 | of service. The OpenID Provider SHOULD disp||00203 | of service. The OpenID Provider SHOULD disp 00184 | End-User if it is given. ||00204 | End-User if it is given. 00185 | ||00205 | 00186 | jwk_url OPTIONAL. URL for the Client's JSON W||00206 | jwk_url OPTIONAL. URL for the Client's JSON W 00187 | document containing key(s) that are used for||00207 | document containing key(s) that are used for 00188 | Endpoint Requests and OpenID Request Objects||00208 | Endpoint Requests and OpenID Request Objects 00189 | "jwk_encryption_url" is not provided it is a||00209 | "jwk_encryption_url" is not provided it is a 00190 | the ID Token and User Info Endpoint Response||00210 | the ID Token and User Info Endpoint Response 00191 | the Client registers both "x509_url" and "jw||00211 | the Client registers both "x509_url" and "jw 00192 | contained in both formats SHOULD be the same||00212 | contained in both formats SHOULD be the same 00193 | ||00213 | 00194 | jwk_encryption_url OPTIONAL. URL for the Clie||00214 | jwk_encryption_url OPTIONAL. URL for the Clie 00195 | [JWK] document containing key(s) that are us||00215 | [JWK] document containing key(s) that are us 00196 | Token and User Info Endpoint Responses to th||00216 | Token and User Info Endpoint Responses to th 00197 | Client registers both "jwk_encryption_url" a||00217 | Client registers both "jwk_encryption_url" a 00198 | "x509_encryption_url", the keys contained in||00218 | "x509_encryption_url", the keys contained in 00199 | be the same. ||00219 | be the same. 00200 | ||00220 | 00201 | x509_url OPTIONAL. URL for the Client's PEM e||00221 | x509_url OPTIONAL. URL for the Client's PEM e 00202 | Certificate or Certificate chain that is use||00222 | Certificate or Certificate chain that is use 00203 | Endpoint Requests and OpenID Request Objects||00223 | Endpoint Requests and OpenID Request Objects 00204 | "x509_encryption_url" is not provided, "x509||00224 | "x509_encryption_url" is not provided, "x509 00205 | to encrypt the ID Token and User Info Endpoi||00225 | to encrypt the ID Token and User Info Endpoi 00206 | Client. If the Client registers both "x509_||00226 | Client. If the Client registers both "x509_ 00207 | the keys contained in both formats SHOULD be||00227 | the keys contained in both formats SHOULD be 00208 | ||00228 | 00209 | x509_encryption_url OPTIONAL. URL for the Cli||00229 | x509_encryption_url OPTIONAL. URL for the Cli 00210 | X.509 Certificate or Certificate chain that ||00230 | X.509 Certificate or Certificate chain that 00211 | ID Token and User Info Endpoint Responses to||00231 | ID Token and User Info Endpoint Responses to 00212 | Client registers both "jwk_encryption_url" a||00232 | Client registers both "jwk_encryption_url" a 00213 | "x509_encryption_url", the keys contained in||00233 | "x509_encryption_url", the keys contained in 00214 | be the same. ||00234 | be the same. 00215 | ||00235 | 00216 | sector_identifier_url OPTIONAL. URL using the||00236 | sector_identifier_url OPTIONAL. URL using the 00217 | used in calculating Pseudonymous Identifiers||00237 | used in calculating Pseudonymous Identifiers 00218 | references a file with a single JSON array o||00238 | references a file with a single JSON array o 00219 L| values. Please see Section 2.1.1. ||00239 R| values. Please see Section 8. 00220 | ||00240 | 00221 | subject_type OPTIONAL. "subject_type" requeste||00241 | subject_type OPTIONAL. "subject_type" requeste 00222 | this "client_id". The "subject_types_suppor||00242 | this "client_id". The "subject_types_suppor 00223 | discovery contains a list of the supported "||00243 | discovery contains a list of the supported " 00224 | for this server. Valid types include "pairw||00244 | for this server. Valid types include "pairw 00225 | ||00245 | 00226 | request_object_signing_alg OPTIONAL. JWS [JWS||00246 | request_object_signing_alg OPTIONAL. JWS [JWS 00227 | [JWA] that MUST be required by the Authoriza||00247 | [JWA] that MUST be required by the Authoriza 00228 | valid values are listed in Section 3.1 of JW||00248 | valid values are listed in Section 3.1 of JW 00229 | Request Objects from this "client_id" MUST b||00249 | Request Objects from this "client_id" MUST b 00230 | signed by this algorithm. Servers SHOULD su||00250 | signed by this algorithm. Servers SHOULD su 00231 | ||00251 | 00232 | userinfo_signed_response_alg OPTIONAL. JWS "a||00252 | userinfo_signed_response_alg OPTIONAL. JWS "a 00233 | required for UserInfo responses. The valid ||00253 | required for UserInfo responses. The valid 00234 | Section 3.1 of JWA [JWA]. If this is specif||00254 | Section 3.1 of JWA [JWA]. If this is specif 00235 | be JWT [JWT] serialized, and signed using JW||00255 | be JWT [JWT] serialized, and signed using JW 00236 | ||00256 | 00237 | userinfo_encrypted_response_alg OPTIONAL. JWE||00257 | userinfo_encrypted_response_alg OPTIONAL. JWE 00238 | [JWA] required for encrypting UserInfo respo||00258 | [JWA] required for encrypting UserInfo respo 00239 | values are listed in Section 4.1 of JWA [JWA||00259 | values are listed in Section 4.1 of JWA [JWA 00240 | requested in combination with signing the re||00260 | requested in combination with signing the re 00241 | then encrypted. If this is specified the re||00261 | then encrypted. If this is specified the re 00242 | [JWT] serialized, and encrypted using JWE. ||00262 | [JWT] serialized, and encrypted using JWE. 00243 | ||00263 | 00244 | userinfo_encrypted_response_enc OPTIONAL. JWE||00264 | userinfo_encrypted_response_enc OPTIONAL. JWE 00245 | required for symmetric encryption of UserInf||00265 | required for symmetric encryption of UserInf 00246 | valid values are listed in Section 4.2 JWA [||00266 | valid values are listed in Section 4.2 JWA [ 00247 | ""userinfo_encrypted_response_alg"" is speci||00267 | ""userinfo_encrypted_response_alg"" is speci 00248 | this value is "A128CBC+HS256". If this is r||00268 | this value is "A128CBC+HS256". If this is r 00249 | combination with signing the response will b||00269 | combination with signing the response will b 00250 | encrypted. If this is specified the respons||00270 | encrypted. If this is specified the respons 00251 | serialized, and encrypted using JWE. ||00271 | serialized, and encrypted using JWE. 00252 | ||00272 | 00253 | id_token_signed_response_alg OPTIONAL. JWS "a||00273 | id_token_signed_response_alg OPTIONAL. JWS "a 00254 | required for the ID Token issued to this "cl||00274 | required for the ID Token issued to this "cl 00255 | values are listed in Section 3.1 of JWA [JWA||00275 | values are listed in Section 3.1 of JWA [JWA 00256 | specified is "RS256". The public key for va||00276 | specified is "RS256". The public key for va 00257 | is provided by retrieving the document from ||00277 | is provided by retrieving the document from 00258 | or the "x509_url" element from discovery. ||00278 | or the "x509_url" element from discovery. 00259 | ||00279 | 00260 | id_token_encrypted_response_alg OPTIONAL. JWE||00280 | id_token_encrypted_response_alg OPTIONAL. JWE 00261 | required for encrypting the ID Token issued ||00281 | required for encrypting the ID Token issued 00262 | The valid values are listed in Section 4.1 o||00282 | The valid values are listed in Section 4.1 o 00263 | is requested the response will be signed the||00283 | is requested the response will be signed the 00264 | default if not specified is no encryption. ||00284 | default if not specified is no encryption. 00265 | ||00285 | 00266 | id_token_encrypted_response_enc OPTIONAL. JWE||00286 | id_token_encrypted_response_enc OPTIONAL. JWE 00267 | required for symmetric encryption of the ID ||00287 | required for symmetric encryption of the ID 00268 | "client_id". The valid values are listed in||00288 | "client_id". The valid values are listed in 00269 | [JWA]. If ""id_token_encrypted_response_alg||00289 | [JWA]. If ""id_token_encrypted_response_alg 00270 | default for this value is "A128CBC+HS256". ||00290 | default for this value is "A128CBC+HS256". 00271 | in combination with signing the response wil||00291 | in combination with signing the response wil 00272 | encrypted. If this is specified the respons||00292 | encrypted. If this is specified the respons 00273 | serialized, and encrypted using JWE. ||00293 | serialized, and encrypted using JWE. 00274 | ||00294 | 00275 | default_max_age OPTIONAL. Default max authent||00295 | default_max_age OPTIONAL. Default max authent 00276 | specifies that the End-User must be actively||00296 | specifies that the End-User must be actively 00277 | present authentication is older than the spe||00297 | present authentication is older than the spe 00278 | seconds represented as an integer. (The "ma||00298 | seconds represented as an integer. (The "ma 00279 | parameter corresponds to the OpenID 2.0 PAPE||00299 | parameter corresponds to the OpenID 2.0 PAPE 00280 | request parameter.) The "max_age" claim in ||00300 | request parameter.) The "max_age" claim in 00281 | overrides this default value. ||00301 | overrides this default value. 00282 | ||00302 | 00283 | require_auth_time OPTIONAL. Boolean value spe||00303 | require_auth_time OPTIONAL. Boolean value spe 00284 | "auth_time" claim in the "id_token" is REQUI||00304 | "auth_time" claim in the "id_token" is REQUI 00285 | when the value is "true". The "auth_time" c||00305 | when the value is "true". The "auth_time" c 00286 | request object overrides this setting. ||00306 | request object overrides this setting. 00287 | ||00307 | 00288 | default_acr OPTIONAL. Default authentication ||00308 | default_acr OPTIONAL. Default authentication 00289 | reference value. String that specifies the ||00309 | reference value. String that specifies the 00290 | Authorization Server must use for processing||00310 | Authorization Server must use for processing 00291 | client. The "acr_values_supported" element ||00311 | client. The "acr_values_supported" element 00292 | a list of the supported "acr" values for thi||00312 | a list of the supported "acr" values for thi 00293 | claim in the request object overrides this d||00313 | claim in the request object overrides this d 00294 | ||00314 | 00295 | initiate_login_uri OPTIONAL. URI using the "h||00315 | initiate_login_uri OPTIONAL. URI using the "h 00296 | authorization server can call to initiate a ||00316 | authorization server can call to initiate a 00297 | The URI MUST accept requests via both GET an||00317 | The URI MUST accept requests via both GET an 00298 | MUST understand the "login_hint" and "iss" p||00318 | MUST understand the "login_hint" and "iss" p 00299 | support the "target_link_uri" parameter. ||00319 | support the "target_link_uri" parameter. 00300 | ||00320 | 00301 | post_logout_redirect_url OPTIONAL. URL suppli||00321 | post_logout_redirect_url OPTIONAL. URL suppli 00302 | request that the user be redirected to this ||00322 | request that the user be redirected to this 00303 | logout has been performed, as specified in O||00323 | logout has been performed, as specified in O 00304 | Management 1.0 [OpenID.Session]. ||00324 | Management 1.0 [OpenID.Session]. 00305 | ||00325 | 00306 L| The Client Registration Endpoint is an OAuth 2.||00326 R| For example, a client could send the following 00307 L| that may require an Access Token for "client_re||00327 R| to the Client Registration Endpoint: 00308 L| order to restrict registration requests to only|| | 00309 L| || | 00310 L| For "client_update" or "rotate_secret" requests|| | 00311 L| "registration_access_token" is used as the Acce|| | 00312 L| update access to only the registered client. || | 00313 L| || | 00314 L| The Client Registration Endpoint MUST accept Ac|| | 00315 L| 2.0 Bearer Token Usage [RFC6750]. || | 00316 | ||00328 | 00317 | Following is a non-normative example request (w||00329 | Following is a non-normative example request (w 00318 | display purposes only): ||00330 | display purposes only): 00319 L| ||00331 R| POST /clients HTTP/1.1 00320 L| POST /connect/register HTTP/1.1 || | 00321 | Content-Type: application/x-www-form-urlencod||00332 | Content-Type: application/x-www-form-urlencoded 00322 | Host: server.example.com ||00333 | Host: server.example.com 00323 | Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.ey||00334 | Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJ 00324 | ||00335 | 00325 L| operation=client_register ||00336 R| application_type=web 00326 L| &application_type=web || | 00327 | &redirect_uris=https://client.example.org/c||00337 | &redirect_uris=https://client.example.org/c 00328 | %20https://client.example.org/callback2 ||00338 | %20https://client.example.org/callback2 00329 | &client_name=My%20Example%20 ||00339 | &client_name=My%20Example%20 00330 | &client_name%23ja-Jpan-JP= ||00340 | &client_name%23ja-Jpan-JP= 00331 L| ワタシ用の&||00341 R| %E3%82%AF%E3%83%A9%E3%82%A4%E3%82%A2%E3%8 00332 | &logo_url=https://client.example.org/logo.p||00342 | &logo_url=https://client.example.org/logo.p 00333 | &subject_type=pairwise ||00343 | &subject_type=pairwise 00334 | §or_identifier_url= ||00344 | §or_identifier_url= 00335 | https://othercompany.com/file_of_redirect||00345 | https://othercompany.com/file_of_redirect 00336 | &token_endpoint_auth_method=client_secret_b||00346 | &token_endpoint_auth_method=client_secret_b 00337 | &jwk_url=https://client.example.org/my_rsa_||00347 | &jwk_url=https://client.example.org/my_rsa_ 00338 | &userinfo_encrypted_response_alg=RSA1_5 ||00348 | &userinfo_encrypted_response_alg=RSA1_5 00339 | &userinfo_encrypted_response_enc=A128CBC+HS||00349 | &userinfo_encrypted_response_enc=A128CBC+HS 00340 | ||00350 | 00341 L|2.1.1. "sector_identifier_url" Validation ||00351 R|3.2. Client Registration Response | ||00352 R| | ||00353 R| Upon successful registration, the Client Regist | ||00354 R| returns the newly-created Client Identifier and | ||00355 R| Client Secret, along with all registered metada | ||00356 R| including any fields provisioned by the Authori | ||00357 R| The Authorization Server MAY reject or replace | ||00358 R| requested field values and substitute them with | ||00359 R| this happens, the Authorization Server MUST inc | ||00360 R| the response to the client. | ||00361 R| | ||00362 R| The response also contains a Registration Acces | ||00363 R| used by the client to perform subsequent operat | ||00364 R| which is returned in the same response. | ||00365 R| | ||00366 R| All of the response items are returned as a JSO | ||00367 R| with the following fields as top-level members | ||00368 R| object. | ||00369 R| | ||00370 R| _links | ||00371 R| REQUIRED. A JSON object with a member "self | ||00372 R| a member "href", a Self URL. | ||00373 R| _[[Editor's note: This is a bit pedantic, bu | ||00374 R| correct way of doing it in link-rel style. | ||00375 R| to specify in this spec that the Self URL is | ||00376 R| URL + ?client_Id=1234. ]]_ | ||00377 R| | ||00378 R| client_id | ||00379 R| REQUIRED. The unique Client identifier, MUS | ||00380 R| valid for any other registered Client. | ||00381 R| | ||00382 R| client_secret | ||00383 R| OPTIONAL. The Client secret. This MUST be | ||00384 R| "client_id". This value is used by confiden | ||00385 R| authenticate to the Token Endpoint as descri | ||00386 R| Section 2.3.1.It is not required for clients | ||00387 R| "token_endpoint_auth_method" of "private_key | ||00388 R| | ||00389 R| registration_access_token | ||00390 R| REQUIRED. The Access token to be used by th | ||00391 R| operations on the Self URL. | ||00392 R| | ||00393 R| issued_at | ||00394 R| OPTIONAL. Specifies the timestamp when the | ||00395 R| issued. The timestamp value MUST be a posit | ||00396 R| value is expressed in the number of seconds | ||00397 R| 00:00:00 GMT. [[Editor's note: Added back f | ||00398 R| | ||00399 R| expires_at | ||00400 R| OPTIONAL. Time at which the "client_secret" | ||00401 R| it will not expire. The time is represented | ||00402 R| seconds from 1970-01-01T0:0:0Z as measured i | ||00403 R| [RFC3339] for details regarding date/times i | ||00404 R| particular. | ||00405 R| | ||00406 R| Following is a non-normative example response: 00409 M| HTTP/1.1 200 OK ||00407 R|HTTP/1.1 200 OK 00410 M| Content-Type: application/json ||00408 R|Content-Type: application/json 00411 M| Cache-Control: no-store ||00409 R|Cache-Control: no-store 00412 M| ||00410 R| 00413 M| { ||00411 R|{ | ||00412 R| "_links": { | ||00413 R| "self": { | ||00414 R| "href": "https://server.example.com/cl | ||00415 R| } | ||00416 R| }, | ||00417 R| "client_id": "s6BhdRkqt3", | ||00418 R| "client_secret": "cf136dc3c1fd9153029bb9c6cc9e | ||00419 R| "registration_access_token": "this.is.an.acces | ||00420 R| "token_endpoint_auth_method": "client_secret_b | ||00421 R| "expires_at": 2893276800, | ||00422 R| "application_type": "web", | ||00423 R| "redirect_uris": "https://client.example.org/c | ||00424 R| "client_name": "My Example", | ||00425 R| "client_name#ja-Jpan-JP": "クラ 00430 M| "logo_url": "https://client.example.org/logo||00426 R| "logo_url": "https://client.example.org/logo.p 00431 M| "subject_type": "pairwise", ||00427 R| "subject_type": "pairwise", | ||00428 R| "sector_identifier_url": "https://othercompany 00434 M| "jwk_url": "https://client.example.org/my_rs||00429 R| "jwk_url": "https://client.example.org/my_rsa_ 00435 M| "userinfo_encrypted_response_alg": "RSA1_5",||00430 R| "userinfo_encrypted_response_alg": "RSA1_5", 00436 M| "userinfo_encrypted_response_enc": "A128CBC+||00431 R| "userinfo_encrypted_response_enc": "A128CBC+HS 00437 M| } ||00432 R|} 00438 M| ||00433 R| | ||00434 R| | ||00435 R|4. Client Read | ||00436 R| | ||00437 R| The client may request the client URL at the se | ||00438 R| current registered values about the client. To | ||00439 R| sends the HTTP GET request to the client URL. | ||00440 R| | ||00441 R|4.1. Client Read Request | ||00442 R| | ||00443 R| The clients sends the HTTP GET request to e "cl | ||00444 R| | ||00445 R| Following is a non-normative example request (w | ||00446 R| display purposes only): | ||00447 R| GET /clients/s6BhdRkqt3 HTTP/1.1 | ||00448 R| Host: server.example.com | ||00449 R| Authorization: Bearer this.is.an.access.token.v | ||00450 R| | ||00451 R|4.2. Client Read Response | ||00452 R| | ||00453 R| Upon successful request, the server returns the | ||00454 R| metadata about this client, except the Client S | ||00455 R| Access Token. | ||00456 R| | ||00457 R| Following is a non-normative example response: 00488 M| HTTP/1.1 200 OK ||00458 R|HTTP/1.1 200 OK 00489 M| Content-Type: application/json ||00459 R|Content-Type: application/json 00490 M| Cache-Control: no-store ||00460 R|Cache-Control: no-store 00491 M| ||00461 R| 00492 M| { ||00462 R|{ | ||00463 R| "_links": { | ||00464 R| "self": { | ||00465 R| "href": "https://server.example.com/cl | ||00466 R| } | ||00467 R| }, | ||00468 R| "client_id": "s6BhdRkqt3", | ||00469 R| "client_secret": "cf136dc3c1fd9153029bb9c6cc9e | ||00470 R| "registration_access_token": "this.is.an.acces | ||00471 R| "token_endpoint_auth_method": "client_secret_b | ||00472 R| "expires_at": 2893276800, | ||00473 R| "application_type": "web", | ||00474 R| "redirect_uris": "https://client.example.org/c | ||00475 R| "client_name": "My Example", | ||00476 R| "client_name#ja-Jpan-JP": "クラ 00503 M| "logo_url": "https://client.example.org/logo||00477 R| "logo_url": "https://client.example.org/logo.p 00504 M| "subject_type": "pairwise", ||00478 R| "subject_type": "pairwise", | ||00479 R| "sector_identifier_url": "https://othercompany 00507 M| "jwk_url": "https://client.example.org/my_rs||00480 R| "jwk_url": "https://client.example.org/my_rsa_ 00508 M| "userinfo_encrypted_response_alg": "RSA1_5",||00481 R| "userinfo_encrypted_response_alg": "RSA1_5", 00509 M| "userinfo_encrypted_response_enc": "A128CBC+||00482 R| "userinfo_encrypted_response_enc": "A128CBC+HS 00510 M| } ||00483 R|} 00511 M| ||00484 R| | ||00485 R| | ||00486 R|5. Client Update | ||00487 R| | ||00488 R| This operation updates a previously-registered | ||00489 R| metadata at the Authorization Server. | ||00490 R| | ||00491 R|5.1. Client Update Request | ||00492 R| | ||00493 R| The request is sent to the Self URL obtained fr | ||00494 R| registration response with the parameters descr | ||00495 R| Metadata encoded in the entity body using the | ||00496 R| "application/x-www-form-urlencoded" format. | ||00497 R| | ||00498 R| Parameters sent with this request are the same | ||00499 R| request except for "access_token", which is the | ||00500 R| registration request. If included in the reque | ||00501 R| Client Metadata fields in this request MUST rep | ||00502 R| values previously associated with this Client. | ||00503 R| Client Metadata MUST be taken as a request to c | ||00504 R| value of that field. Omitted values in the Cli | ||00505 R| remain unchanged by the Authorization Server. | ||00506 R| Server MAY replace any invalid values with suit | ||00507 R| | ||00508 R| For example, a client could send the following | ||00509 R| Registration Endpoint to update the client regi | ||00510 R| example: | ||00511 R| | ||00512 R| Following is a non-normative example request (w | ||00513 R| display purposes only): | ||00514 R| POST /clients/s6BhdRkqt3 HTTP/1.1 | ||00515 R| Accept: application/x-www-form-urlencoded | ||00516 R| Host: server.example.com | ||00517 R| Authorization: Bearer this.is.an.access.token.v | ||00518 R| | ||00519 R| redirect_uri=https://client.example.org/callbac | ||00520 R| %20https://client.example.org/alt | ||00521 R| &client_name=My%20New%20Example%20 | ||00522 R| &client_name%23ja-Jpan-JP= | ||00523 R| %E3%82%AF%E3%83%A9%E3%82%A4%E3%82%A2%E3%8 | ||00524 R| &logo_url=https://client.example.org/newlog | ||00525 R| | ||00526 R|5.2. Client Update Response | ||00527 R| | ||00528 R| Upon successful update, the Client Registration | ||00529 R| Client ID, along with all current registered me | ||00530 R| client, including any fields provisioned by the | ||00531 R| itself. The Authorization Server MAY reject or | ||00532 R| client's requested field values and substitute | ||00533 R| If this happens, the Authorization Server MUST | ||00534 R| in the response to the client. | ||00535 R| | ||00536 R| The Authorization Server MUST NOT include the C | ||00537 R| Request Access Token in this response. | ||00538 R| | ||00539 R| These fields are returned in a JSON Document [R | ||00540 R| members of the root JSON object. | ||00541 R| | ||00542 R| Following is a non-normative example response: 00461 M| HTTP/1.1 200 OK ||00543 R|HTTP/1.1 200 OK 00462 M| Content-Type: application/json ||00544 R|Content-Type: application/json 00463 M| Cache-Control: no-store ||00545 R|Cache-Control: no-store 00464 M| ||00546 R| 00465 M| { ||00547 R|{ | ||00548 R| "_links": { | ||00549 R| "self": { | ||00550 R| "href": "https://server.example.com/cl | ||00551 R| } | ||00552 R| }, | ||00553 R| "client_id": "s6BhdRkqt3", | ||00554 R| "client_secret": "cf136dc3c1fd9153029bb9c6cc9e | ||00555 R| "registration_access_token": "this.is.an.acces | ||00556 R| "token_endpoint_auth_method": "client_secret_b | ||00557 R| "expires_at": 2893276800, | ||00558 R| "application_type": "web", | ||00559 R| "redirect_uris": "https://client.example.org/c | ||00560 R| "client_name": "My New Example", | ||00561 R| "client_name#ja-Jpan-JP": "クラ | ||00562 R| "logo_url": "https://client.example.org/newlog | ||00563 R| "subject_type": "pairwise", | ||00564 R| "sector_identifier_url": "https://othercompany | ||00565 R| "jwk_url": "https://client.example.org/my_rsa_ | ||00566 R| "userinfo_encrypted_response_alg": "RSA1_5", | ||00567 R| "userinfo_encrypted_response_enc": "A128CBC+HS | ||00568 R|} | ||00569 R| | ||00570 R| | ||00571 R|6. Cleint Delete | ||00572 R| | ||00573 R| This operation allows a client to be de-registe | ||00574 R| server. | ||00575 R| | ||00576 R|6.1. Client Delete Request | ||00577 R| | ||00578 R| To delete the client from the server, the clien | ||00579 R| request to the client URL. | ||00580 R| | ||00581 R| Following is a non-normative example request (w | ||00582 R| display purposes only): | ||00583 R| DELETE /clients/s6BhdRkqt3 HTTP/1.1 | ||00584 R| Host: server.example.com | ||00585 R| Authorization: Bearer reg-23410913-abewfq.12348 | ||00586 R| | ||00587 R|6.2. Client Delete Response | ||00588 R| | ||00589 R| Upon the successful request, the server returns | ||00590 R| | ||00591 R| | ||00592 R|7. Client Registration Error Response 00513 M| ||00593 R| 00514 M| When an OAuth error condition occurs, the Clien||00594 R| When an OAuth error condition occurs, the Clien 00515 M| Endpoint returns an Error Response as defined i||00595 R| Endpoint returns an Error Response as defined i 00516 M| OAuth 2.0 Bearer Token Usage [RFC6750] specific||00596 R| OAuth 2.0 Bearer Token Usage [RFC6750] specific 00517 M| ||00597 R| 00518 M| When a registration error condition occurs, the||00598 R| When a registration error condition occurs, the 00519 M| Endpoint returns a HTTP 400 status code includi||00599 R| Endpoint returns a HTTP 400 status code includi 00520 M| describing the error in the response body. ||00600 R| describing the error in the response body. 00521 M| ||00601 R| 00522 M| The JSON object contains two members: ||00602 R| The JSON object contains two members: 00523 M| ||00603 R| 00524 M| error_code Error code. ||00604 R| error_code Error code. 00525 M| ||00605 R| 00526 M| error_description Additional text description ||00606 R| error_description Additional text description 00527 M| debugging. ||00607 R| debugging. 00528 M| ||00608 R| 00529 M| This specification defines the following error ||00609 R| This specification defines the following error 00530 M| ||00610 R| 00533 M| invalid_client_id Value of "client_id" is inva||00611 R| invalid_client_id Value of "client_id" is inva 00532 M| ||00612 R| | ||00613 R| invalid_client_secret "client_secret" provided | ||00614 R| Self URL is not valid for the provided "clie 00537 M| ||00615 R| 00538 M| invalid_redirect_uri Value of one or more "red||00616 R| invalid_redirect_uri Value of one or more "red 00539 M| invalid. ||00617 R| invalid. 00540 M| ||00618 R| 00541 M| invalid_configuration_parameter Value of one o||00619 R| invalid_configuration_parameter Value of one o 00542 M| parameters is invalid. ||00620 R| parameters is invalid. 00543 M| ||00621 R| 00544 M| Following is a non-normative example of an erro||00622 R| Following is a non-normative example of an erro 00545 M| ||00623 R| 00546 M| HTTP/1.1 400 Bad Request ||00624 R| HTTP/1.1 400 Bad Request 00547 M| Content-Type: application/json ||00625 R| Content-Type: application/json 00548 M| Cache-Control: no-store ||00626 R| Cache-Control: no-store 00549 M| ||00627 R| 00550 M| { ||00628 R| { | ||00629 R| "error_code": "invalid_client_id", | ||00630 R| "error_description": "The value of the client_i 00554 M| } ||00631 R| } 00555 M| ||00632 R| 00556 M| ||00633 R| | ||00634 R|8. "sector_identifier_url" Validation | ||00635 R| | ||00636 R| [[Editor's Note: This clause needs to be update 00342 | ||00637 | 00343 | Providers who use pairwise "sub" (subject) valu||00638 | Providers who use pairwise "sub" (subject) valu 00344 | element. ||00639 | element. 00345 | ||00640 | 00346 | It provides a way for a group of websites under||00641 | It provides a way for a group of websites under 00347 | administrative control to have consistent pairw||00642 | administrative control to have consistent pairw 00348 | independent of the individual domain names. It||00643 | independent of the individual domain names. It 00349 | for Clients to change "redirect_uri" domains wi||00644 | for Clients to change "redirect_uri" domains wi 00350 | reregister all of their users. ||00645 | reregister all of their users. 00351 | ||00646 | 00352 | This is further described in Section 2.4.1 of O||00647 | This is further described in Section 2.4.1 of O 00353 | 1.0 [OpenID.Messages]. ||00648 | 1.0 [OpenID.Messages]. 00354 | ||00649 | 00355 | The value of the "sector_identifier_url" must b||00650 | The value of the "sector_identifier_url" must b 00356 | "https:" scheme that references a JSON file con||00651 | "https:" scheme that references a JSON file con 00357 | containing "redirect_uri" values. ||00652 | containing "redirect_uri" values. 00358 | ||00653 | 00359 | The values of the registered "redirect_uris" mu||00654 | The values of the registered "redirect_uris" mu 00360 | elements of the array, or registration MUST fai||00655 | elements of the array, or registration MUST fai 00361 | ||00656 | 00362 | ||00657 | 00363 | GET /connect/sector_identifier.js HTTP/1.1 ||00658 | GET /connect/sector_identifier.js HTTP/1.1 00364 | Accept: application/json ||00659 | Accept: application/json 00365 | Host: client.example.org ||00660 | Host: client.example.org 00366 | ||00661 | 00367 | HTTP/1.1 200 OK ||00662 | HTTP/1.1 200 OK 00368 | Content-Type: application/json ||00663 | Content-Type: application/json 00369 | Cache-Control: no-store ||00664 | Cache-Control: no-store 00370 | Pragma: no-cache ||00665 | Pragma: no-cache 00371 | ||00666 | 00372 | [ "https://client.example.org/callback", ||00667 | [ "https://client.example.org/callback", 00373 | "https://client.example.org/callback2", ||00668 | "https://client.example.org/callback2", 00374 | "https://client.other_company.example.net/c||00669 | "https://client.other_company.example.net/c 00375 | ||00670 | 00376 L|2.2. Client Registration Response || | 00377 L| || | 00378 L| The response is returned as a JSON object with || | 00379 L| top level elements. || | 00380 L| || | 00381 L|2.2.1. Client Register Operation Response || | 00382 L| || | 00383 L| If the value of "operation" in the request was || | 00384 L| return the following. || | 00385 L| || | 00386 L| client_id REQUIRED. Unique Client identifier.|| | 00387 L| || | 00388 L| client_secret REQUIRED. Client secret. This || | 00389 L| each "client_id". This value is used by con|| | 00390 L| is not required for clients selecting a || | 00391 L| "token_endpoint_auth_method" of "private_key|| | 00392 L| || | 00393 L| registration_access_token REQUIRED. Access to|| | 00394 L| to perform "client_update" and "rotate_secre|| | 00395 L| || | 00396 L| expires_at OPTIONAL. Time at which the "clien|| | 00397 L| or "0" if it will not expire. The time is r|| | 00398 L| number of seconds from 1970-01-01T0:0:0Z as || | 00399 L| RFC 3339 [RFC3339] for details regarding dat|| | 00400 L| UTC in particular. || | 00401 L| || | 00402 L| Additionally, the server MUST include all regis|| | 00403 L| client as described in Section 2.1, including a|| | 00404 L| server has provisioned on the client's behalf. || | 00405 L| || | 00406 L| Following is a non-normative example response (|| | 00407 L| display purposes only): || | 00408 L| || | 00409 L| HTTP/1.1 200 OK ||00407 M|HTTP/1.1 200 OK 00410 L| Content-Type: application/json ||00408 M|Content-Type: application/json 00411 L| Cache-Control: no-store ||00409 M|Cache-Control: no-store 00412 L| ||00410 M| 00413 L| { ||00411 M|{ 00414 L| "client_id": "s6BhdRkqt3", || | 00415 L| "client_secret": || | 00416 L| "cf136dc3c1fd9153029bb9c6cc9ecead || | 00417 L| 918bad9887fce6c93f31185e5885805d", || | 00418 L| "registration_access_token": || | 00419 L| "this.is.an.access.token.value.ffx83", || | 00420 L| "token_endpoint_auth_method": || | 00421 L| "client_secret_basic", || | 00422 L| "expires_at":2893276800, || | 00423 L| "application_type": "web", || | 00424 L| "redirect_uris": || | 00425 L| "https://client.example.org/callback || | 00426 L| https://client.example.org/callback2", || | 00427 L| "client_name": "My Example", || | 00428 L| "client_name#ja-Jpan-JP": || | 00429 L| "ワタシ用の&|| | 00430 L| "logo_url": "https://client.example.org/logo||00426 M| "logo_url": "https://client.example.org/logo.p 00431 L| "subject_type": "pairwise", ||00427 M| "subject_type": "pairwise", 00432 L| "sector_identifier_url": || | 00433 L| "https://othercompany.com/file_of_redirect|| | 00434 L| "jwk_url": "https://client.example.org/my_rs||00429 M| "jwk_url": "https://client.example.org/my_rsa_ 00435 L| "userinfo_encrypted_response_alg": "RSA1_5",||00430 M| "userinfo_encrypted_response_alg": "RSA1_5", 00436 L| "userinfo_encrypted_response_enc": "A128CBC+||00431 M| "userinfo_encrypted_response_enc": "A128CBC+HS 00437 L| } ||00432 M|} 00438 L| ||00433 M| 00439 L|2.2.2. Rotate Secret Operation Response || | 00440 L| || | 00441 L| If the value of "operation" in the request was || | 00442 L| return the following. || | 00443 L| || | 00444 L| client_id REQUIRED. Unique Client identifier.|| | 00445 L| || | 00446 L| client_secret OPTIONAL. Client secret. This || | 00447 L| each "client_id". This value is used by con|| | 00448 L| is not required for Clients selecting a || | 00449 L| "token_endpoint_auth_method" of "private_key|| | 00450 L| || | 00451 L| registration_access_token REQUIRED. Access To|| | 00452 L| to perform "client_update" and "rotate_secre|| | 00453 L| || | 00454 L| expires_at OPTIONAL. Number of seconds from 1|| | 00455 L| measured in UTC at which the "client_secret"|| | 00456 L| it will not expire. See RFC 3339 [RFC3339] || | 00457 L| date/times in general and UTC in particular.|| | 00458 L| || | 00459 L| Following is a non-normative example response: || | 00460 L| || | 00461 L| HTTP/1.1 200 OK ||00543 M|HTTP/1.1 200 OK 00462 L| Content-Type: application/json ||00544 M|Content-Type: application/json 00463 L| Cache-Control: no-store ||00545 M|Cache-Control: no-store 00464 L| ||00546 M| 00465 L| { ||00547 M|{ 00466 L| "client_id": "s6BhdRkqt3", || | 00467 L| "client_secret": || | 00468 L| "cf136dc3c1fd9153029bb9c6cc9ecead || | 00469 L| 918bad9887fce6c93f31185e5885805d", || | 00470 L| "registration_access_token": || | 00471 L| "this.is.an.access.token.value.ffx83", || | 00472 L| "expires_at":2893276800 || | 00473 L| } || | 00474 L| || | 00475 L|2.2.3. Client Update Operation Response || | 00476 L| || | 00477 L| If the value of "operation" in the request was || | 00478 L| || | 00479 L| client_id REQUIRED. Unique Client identifier.|| | 00480 L| || | 00481 L| Additionally, the server MUST include all regis|| | 00482 L| client as described in Section 2.1, including a|| | 00483 L| server has provisioned on the client's behalf. || | 00484 L| || | 00485 L| Following is a non-normative example response (|| | 00486 L| display purposes only): || | 00487 L| || | 00488 L| HTTP/1.1 200 OK ||00458 M|HTTP/1.1 200 OK 00489 L| Content-Type: application/json ||00459 M|Content-Type: application/json 00490 L| Cache-Control: no-store ||00460 M|Cache-Control: no-store 00491 L| ||00461 M| 00492 L| { ||00462 M|{ 00493 L| "client_id": "s6BhdRkqt3" || | 00494 L| "token_endpoint_auth_method": || | 00495 L| "client_secret_basic", || | 00496 L| "application_type": "web", || | 00497 L| "redirect_uris": || | 00498 L| "https://client.example.org/callback || | 00499 L| https://client.example.org/callback2", || | 00500 L| "client_name": "My Example", || | 00501 L| "client_name#ja-Jpan-JP": || | 00502 L| "ワタシ用の&|| | 00503 L| "logo_url": "https://client.example.org/logo||00477 M| "logo_url": "https://client.example.org/logo.p 00504 L| "subject_type": "pairwise", ||00478 M| "subject_type": "pairwise", 00505 L| "sector_identifier_url": || | 00506 L| "https://othercompany.com/file_of_redirect|| | 00507 L| "jwk_url": "https://client.example.org/my_rs||00480 M| "jwk_url": "https://client.example.org/my_rsa_ 00508 L| "userinfo_encrypted_response_alg": "RSA1_5",||00481 M| "userinfo_encrypted_response_alg": "RSA1_5", 00509 L| "userinfo_encrypted_response_enc": "A128CBC+||00482 M| "userinfo_encrypted_response_enc": "A128CBC+HS 00510 L| } ||00483 M|} 00511 L| ||00484 M| 00512 L|2.3. Client Registration Error Response || | 00513 L| ||00593 M| 00514 L| When an OAuth error condition occurs, the Clien||00594 M| When an OAuth error condition occurs, the Clien 00515 L| Endpoint returns an Error Response as defined i||00595 M| Endpoint returns an Error Response as defined i 00516 L| OAuth 2.0 Bearer Token Usage [RFC6750] specific||00596 M| OAuth 2.0 Bearer Token Usage [RFC6750] specific 00517 L| ||00597 M| 00518 L| When a registration error condition occurs, the||00598 M| When a registration error condition occurs, the 00519 L| Endpoint returns a HTTP 400 status code includi||00599 M| Endpoint returns a HTTP 400 status code includi 00520 L| describing the error in the response body. ||00600 M| describing the error in the response body. 00521 L| ||00601 M| 00522 L| The JSON object contains two members: ||00602 M| The JSON object contains two members: 00523 L| ||00603 M| 00524 L| error_code Error code. ||00604 M| error_code Error code. 00525 L| ||00605 M| 00526 L| error_description Additional text description ||00606 M| error_description Additional text description 00527 L| debugging. ||00607 M| debugging. 00528 L| ||00608 M| 00529 L| This specification defines the following error ||00609 M| This specification defines the following error 00530 L| ||00610 M| 00531 L| invalid_operation Value of "operation" is inva|| | 00532 L| ||00612 M| 00533 L| invalid_client_id Value of "client_id" is inva||00611 M| invalid_client_id Value of "client_id" is inva 00534 L| || | 00535 L| invalid_client_secret "client_secret" provided|| | 00536 L| or "rotate_secret" is not valid for the prov|| | 00537 L| ||00615 M| 00538 L| invalid_redirect_uri Value of one or more "red||00616 M| invalid_redirect_uri Value of one or more "red 00539 L| invalid. ||00617 M| invalid. 00540 L| ||00618 M| 00541 L| invalid_configuration_parameter Value of one o||00619 M| invalid_configuration_parameter Value of one o 00542 L| parameters is invalid. ||00620 M| parameters is invalid. 00543 L| ||00621 M| 00544 L| Following is a non-normative example of an erro||00622 M| Following is a non-normative example of an erro 00545 L| ||00623 M| 00546 L| HTTP/1.1 400 Bad Request ||00624 M| HTTP/1.1 400 Bad Request 00547 L| Content-Type: application/json ||00625 M| Content-Type: application/json 00548 L| Cache-Control: no-store ||00626 M| Cache-Control: no-store 00549 L| ||00627 M| 00550 L| { ||00628 M| { 00551 L| "error_code": "invalid_operation", || | 00552 L| "error_description": "The value of the opera|| | 00553 L| one of client_register, rotate_secret or || | 00554 L| } ||00631 M| } 00555 L| ||00632 M| 00556 L| ||00633 M| 00557 L|3. String Operations ||00671 R| | ||00672 R|9. String Operations 00558 | ||00673 | 00559 | Processing some OpenID Connect messages require||00674 | Processing some OpenID Connect messages require 00560 | the messages to known values. For example, the||00675 | the messages to known values. For example, the 00561 | Client registration response might be compared ||00676 | Client registration response might be compared 00562 | names such as "client_id". Comparing Unicode s||00677 | names such as "client_id". Comparing Unicode s 00563 | significant security implications. ||00678 | significant security implications. 00564 | ||00679 | 00565 | Therefore, comparisons between JSON strings and||00680 | Therefore, comparisons between JSON strings and 00566 | MUST be performed as specified below: ||00681 | MUST be performed as specified below: 00567 | ||00682 | 00568 | 1. Remove any JSON applied escaping to produce||00683 | 1. Remove any JSON applied escaping to produce 00569 | code points. ||00684 | code points. 00570 | ||00685 | 00571 | 2. Unicode Normalization [USA15] MUST NOT be a||00686 | 2. Unicode Normalization [USA15] MUST NOT be a 00572 | either the JSON string or to the string it ||00687 | either the JSON string or to the string it 00573 | against. ||00688 | against. 00574 | ||00689 | 00575 | 3. Comparisons between the two strings MUST be||00690 | 3. Comparisons between the two strings MUST be 00576 | Unicode code point to code point equality c||00691 | Unicode code point to code point equality c 00577 | ||00692 | 00578 | In several places, this specification uses spac||00693 | In several places, this specification uses spac 00579 | strings. In all such cases, only the ASCII spa||00694 | strings. In all such cases, only the ASCII spa 00580 | MAY be used for this purpose. ||00695 | MAY be used for this purpose. 00581 | ||00696 | 00582 | ||00697 | 00583 L|4. Validation ||00698 R|10. Validation 00584 | ||00699 | 00585 | If any of the validation procedures defined in ||00700 | If any of the validation procedures defined in 00586 | fail, any operations requiring the information ||00701 | fail, any operations requiring the information 00587 | correctly validate MUST be aborted and the info||00702 | correctly validate MUST be aborted and the info 00588 | validate MUST NOT be used. ||00703 | validate MUST NOT be used. 00589 | ||00704 | 00590 | ||00705 | 00591 L|5. Implementation Considerations ||00706 R|11. Implementation Considerations 00592 | ||00707 | 00593 | This specification defines features used by bot||00708 | This specification defines features used by bot 00594 | OpenID Providers that choose to implement Dynam||00709 | OpenID Providers that choose to implement Dynam 00595 | Registration. All of these Relying Parties and||00710 | Registration. All of these Relying Parties and 00596 | implement the features that are listed in this ||00711 | implement the features that are listed in this 00597 | "REQUIRED" or are described with a "MUST". No ||00712 | "REQUIRED" or are described with a "MUST". No 00598 | considerations for implementations of Dynamic C||00713 | considerations for implementations of Dynamic C 00599 | defined by this specification. ||00714 | defined by this specification. 00600 | ||00715 | 00601 | ||00716 | 00602 L|6. Security Considerations ||00717 R|12. Security Considerations 00603 | ||00718 | 00604 | Since requests to the Client Registration Endpo||00719 | Since requests to the Client Registration Endpo 00605 | transmission of clear-text credentials (in the ||00720 | transmission of clear-text credentials (in the 00606 | response), all communiucation with the Registra||00721 | response), all communiucation with the Registra 00607 L| utilize TLS. See Section 6.1 for more informat||00722 R| utilize TLS. See Section 12.1 for more informa 00608 | ||00723 | 00609 | Requests to the Registration Endpoint for "clie||00724 | Requests to the Registration Endpoint for "clie 00610 | some rate limiting on failures to prevent the C||00725 | some rate limiting on failures to prevent the C 00611 | being disclosed though repeated access attempts||00726 | being disclosed though repeated access attempts 00612 | ||00727 | 00613 | A rogue RP might use the logo for the legitimat||00728 | A rogue RP might use the logo for the legitimat 00614 | trying to impersonate. An OP needs to take ste||00729 | trying to impersonate. An OP needs to take ste 00615 | phishing risk, since the logo could confuse use||00730 | phishing risk, since the logo could confuse use 00616 | they're logging in to the legitimate RP. An OP||00731 | they're logging in to the legitimate RP. An OP 00617 | the domain/site of the logo doesn't match the d||00732 | the domain/site of the logo doesn't match the d 00618 | URIs. An OP can also make warnings against unt||00733 | URIs. An OP can also make warnings against unt 00619 | cases, especially if they're dynamically regist||00734 | cases, especially if they're dynamically regist 00620 | trusted by any users at the OP before, and want||00735 | trusted by any users at the OP before, and want 00621 | feature. ||00736 | feature. 00622 | ||00737 | 00623 | In a situation where the Authorization Server i||00738 | In a situation where the Authorization Server i 00624 | Client registration, it must be extremely caref||00739 | Client registration, it must be extremely caref 00625 | provided by the Client that will be displayed t||00740 | provided by the Client that will be displayed t 00626 | "logo_url" and "policy_url"). A rogue Client c||00741 | "logo_url" and "policy_url"). A rogue Client c 00627 | registration request with a reference to a driv||00742 | registration request with a reference to a driv 00628 | "policy_url". The Authorization Server should ||00743 | "policy_url". The Authorization Server should 00629 | "logo_url" and "policy_url" have the same host ||00744 | "logo_url" and "policy_url" have the same host 00630 | in the array of "redirect_uris". ||00745 | in the array of "redirect_uris". 00631 | ||00746 | 00632 L|6.1. TLS Requirements ||00747 R|12.1. TLS Requirements 00633 | ||00748 | 00634 | Implementations MUST support TLS. Which versio||00749 | Implementations MUST support TLS. Which versio 00635 | implemented will vary over time, and depend on ||00750 | implemented will vary over time, and depend on 00636 | deployment and known security vulnerabilities a||00751 | deployment and known security vulnerabilities a 00637 | implementation. At the time of this writing, T||00752 | implementation. At the time of this writing, T 00638 | [RFC5246] is the most recent version, but has v||00753 | [RFC5246] is the most recent version, but has v 00639 | deployment, and might not be readily available ||00754 | deployment, and might not be readily available 00640 | toolkits. TLS version 1.0 [RFC2246] is the mos||00755 | toolkits. TLS version 1.0 [RFC2246] is the mos 00641 | version, and will give the broadest interoperab||00756 | version, and will give the broadest interoperab 00642 | ||00757 | 00643 | To protect against information disclosure and t||00758 | To protect against information disclosure and t 00644 | confidentiality protection MUST be applied usin||00759 | confidentiality protection MUST be applied usin 00645 | ciphersuite that provides confidentiality and i||00760 | ciphersuite that provides confidentiality and i 00646 | ||00761 | 00647 | Whenever TLS is used, a TLS server certificate ||00762 | Whenever TLS is used, a TLS server certificate 00648 | performed, per RFC 6125 [RFC6125]. ||00763 | performed, per RFC 6125 [RFC6125]. 00649 | ||00764 | 00650 | ||00765 | 00651 L|7. IANA Considerations ||00766 R|13. Privacy Considerations 00652 L| ||00767 R| 00653 L| This document makes no requests of IANA. ||00768 R| 00654 L| ||00769 R|14. IANA Considerations 00655 L| ||00770 R| 00656 L|8. References ||00771 R| This document makes no requests of IANA. 00657 L| ||00772 R| 00658 L|8.1. Normative References ||00773 R| | ||00774 R|15. References | ||00775 R| | ||00776 R|15.1. Normative References 00659 | ||00777 | 00660 | [JWA] Jones, M., "JSON Web Algorithms (JWA||00778 | [JWA] Jones, M., "JSON Web Algorithms (JWA 00661 | draft-ietf-jose-json-web-algorithms ||00779 | draft-ietf-jose-json-web-algorithms 00662 | December 2012. ||00780 | December 2012. 00663 | ||00781 | 00664 | [JWE] Jones, M., Rescorla, E., and J. Hild||00782 | [JWE] Jones, M., Rescorla, E., and J. Hild 00665 | Encryption (JWE)", draft-ietf-jose-j||00783 | Encryption (JWE)", draft-ietf-jose-j 00666 | (work in progress), December 2012. ||00784 | (work in progress), December 2012. 00667 | ||00785 | 00668 | [JWK] Jones, M., "JSON Web Key (JWK)", ||00786 | [JWK] Jones, M., "JSON Web Key (JWK)", 00669 | draft-ietf-jose-json-web-key (work i||00787 | draft-ietf-jose-json-web-key (work i 00670 | December 2012. ||00788 | December 2012. 00671 | ||00789 | 00672 | [JWS] Jones, M., Bradley, J., and N. Sakim||00790 | [JWS] Jones, M., Bradley, J., and N. Sakim 00673 | Signature (JWS)", draft-ietf-jose-js||00791 | Signature (JWS)", draft-ietf-jose-js 00674 | in progress), December 2012. ||00792 | in progress), December 2012. 00675 | ||00793 | 00676 | [JWT] Jones, M., Bradley, J., and N. Sakim||00794 | [JWT] Jones, M., Bradley, J., and N. Sakim 00677 | (JWT)", draft-ietf-oauth-json-web-to||00795 | (JWT)", draft-ietf-oauth-json-web-to 00678 | progress), December 2012. ||00796 | progress), December 2012. 00679 | ||00797 | 00680 | [OpenID.Messages] ||00798 | [OpenID.Messages] 00681 | Sakimura, N., Bradley, J., Jones, M.||00799 | Sakimura, N., Bradley, J., Jones, M. 00682 | Mortimore, C., and E. Jay, "OpenID C||00800 | Mortimore, C., and E. Jay, "OpenID C 00683 | January 2013. ||00801 | January 2013. 00684 | ||00802 | 00685 | [OpenID.Session] ||00803 | [OpenID.Session] 00686 | Sakimura, N., Bradley, J., Jones, M.||00804 | Sakimura, N., Bradley, J., Jones, M. 00687 | N. Agarwal, "OpenID Connect Session ||00805 | N. Agarwal, "OpenID Connect Session 00688 | January 2013. ||00806 | January 2013. 00689 | ||00807 | 00690 | [RFC2119] Bradner, S., "Key words for use in R||00808 | [RFC2119] Bradner, S., "Key words for use in R 00691 | Requirement Levels", BCP 14, RFC 211||00809 | Requirement Levels", BCP 14, RFC 211 00692 | ||00810 | 00693 | [RFC2246] Dierks, T. and C. Allen, "The TLS Pr||00811 | [RFC2246] Dierks, T. and C. Allen, "The TLS Pr 00694 | RFC 2246, January 1999. ||00812 | RFC 2246, January 1999. 00695 | ||00813 | 00696 | [RFC3339] Klyne, G., Ed. and C. Newman, "Date ||00814 | [RFC3339] Klyne, G., Ed. and C. Newman, "Date 00697 | Internet: Timestamps", RFC 3339, Jul||00815 | Internet: Timestamps", RFC 3339, Jul 00698 | ||00816 | | ||00817 R| [RFC4627] Crockford, D., "The application/json | ||00818 R| JavaScript Object Notation (JSON)", | ||00819 R| 00699 | [RFC5246] Dierks, T. and E. Rescorla, "The Tra||00820 | [RFC5246] Dierks, T. and E. Rescorla, "The Tra 00700 | (TLS) Protocol Version 1.2", RFC 524||00821 | (TLS) Protocol Version 1.2", RFC 524 00701 | ||00822 | 00702 | [RFC6125] Saint-Andre, P. and J. Hodges, "Repr||00823 | [RFC6125] Saint-Andre, P. and J. Hodges, "Repr 00703 | Verification of Domain-Based Applica||00824 | Verification of Domain-Based Applica 00704 | within Internet Public Key Infrastru||00825 | within Internet Public Key Infrastru 00705 | (PKIX) Certificates in the Context o||00826 | (PKIX) Certificates in the Context o 00706 | Security (TLS)", RFC 6125, March 201||00827 | Security (TLS)", RFC 6125, March 201 00707 | ||00828 | 00708 | [RFC6749] Hardt, D., "The OAuth 2.0 Authorizat||00829 | [RFC6749] Hardt, D., "The OAuth 2.0 Authorizat 00709 | RFC 6749, October 2012. ||00830 | RFC 6749, October 2012. 00710 | ||00831 | 00711 | [RFC6750] Jones, M. and D. Hardt, "The OAuth 2||00832 | [RFC6750] Jones, M. and D. Hardt, "The OAuth 2 00712 | Framework: Bearer Token Usage", RFC ||00833 | Framework: Bearer Token Usage", RFC 00713 | ||00834 | 00714 | [USA15] Davis, M., Whistler, K., and M. Duer||00835 | [USA15] Davis, M., Whistler, K., and M. Duer 00715 | Normalization Forms", Unicode Standa||00836 | Normalization Forms", Unicode Standa 00716 | ||00837 | 00717 L|8.2. Informative References ||00838 R|15.2. Informative References 00718 | ||00839 | 00719 | [I-D.ietf-oauth-dyn-reg] ||00840 | [I-D.ietf-oauth-dyn-reg] 00720 | Richer, J., Bradley, J., Jones, M., ||00841 | Richer, J., Bradley, J., Jones, M., 00721 | "OAuth Dynamic Client Registration P||00842 | "OAuth Dynamic Client Registration P 00722 | draft-ietf-oauth-dyn-reg-04 (work in||00843 | draft-ietf-oauth-dyn-reg-04 (work in 00723 | January 2013. ||00844 | January 2013. 00724 | ||00845 | 00725 | ||00846 | 00726 |Appendix A. Acknowledgements ||00847 |Appendix A. Acknowledgements 00727 | ||00848 | 00728 | ||00849 | 00729 |Appendix B. Notices ||00850 |Appendix B. Notices 00730 | ||00851 | 00731 | Copyright (c) 2013 The OpenID Foundation. ||00852 | Copyright (c) 2013 The OpenID Foundation. 00732 | ||00853 | 00733 | The OpenID Foundation (OIDF) grants to any Cont||00854 | The OpenID Foundation (OIDF) grants to any Cont 00734 | implementer, or other interested party a non-ex||00855 | implementer, or other interested party a non-ex 00735 | worldwide copyright license to reproduce, prepa||00856 | worldwide copyright license to reproduce, prepa 00736 | from, distribute, perform and display, this Imp||00857 | from, distribute, perform and display, this Imp 00737 | Final Specification solely for the purposes of ||00858 | Final Specification solely for the purposes of 00738 | specifications, and (ii) implementing Implement||00859 | specifications, and (ii) implementing Implement 00739 | Specifications based on such documents, provide||00860 | Specifications based on such documents, provide 00740 | made to the OIDF as the source of the material,||00861 | made to the OIDF as the source of the material, 00741 | attribution does not indicate an endorsement by||00862 | attribution does not indicate an endorsement by 00742 | ||00863 | 00743 | The technology described in this specification ||00864 | The technology described in this specification 00744 | from contributions from various sources, includ||00865 | from contributions from various sources, includ 00745 | OpenID Foundation and others. Although the Ope||00866 | OpenID Foundation and others. Although the Ope 00746 | taken steps to help ensure that the technology ||00867 | taken steps to help ensure that the technology 00747 | distribution, it takes no position regarding th||00868 | distribution, it takes no position regarding th 00748 | any intellectual property or other rights that ||00869 | any intellectual property or other rights that 00749 | pertain to the implementation or use of the tec||00870 | pertain to the implementation or use of the tec 00750 | this specification or the extent to which any l||00871 | this specification or the extent to which any l 00751 | rights might or might not be available; neither||00872 | rights might or might not be available; neither 00752 | that it has made any independent effort to iden||00873 | that it has made any independent effort to iden 00753 | The OpenID Foundation and the contributors to t||00874 | The OpenID Foundation and the contributors to t 00754 | no (and hereby expressly disclaim any) warranti||00875 | no (and hereby expressly disclaim any) warranti 00755 | or otherwise), including implied warranties of ||00876 | or otherwise), including implied warranties of 00756 | infringement, fitness for a particular purpose,||00877 | infringement, fitness for a particular purpose, 00757 | this specification, and the entire risk as to i||00878 | this specification, and the entire risk as to i 00758 | specification is assumed by the implementer. T||00879 | specification is assumed by the implementer. T 00759 | Property Rights policy requires contributors to||00880 | Property Rights policy requires contributors to 00760 | promise not to assert certain patent claims aga||00881 | promise not to assert certain patent claims aga 00761 | contributors and against implementers. The Ope||00882 | contributors and against implementers. The Ope 00762 | any interested party to bring to its attention ||00883 | any interested party to bring to its attention 00763 | patents, patent applications, or other propriet||00884 | patents, patent applications, or other propriet 00764 | cover technology that may be required to practi||00885 | cover technology that may be required to practi 00765 | ||00886 | 00766 | ||00887 | 00767 |Appendix C. Document History ||00888 |Appendix C. Document History 00768 | ||00889 | 00769 | [[ To be removed from the final specification ]||00890 | [[ To be removed from the final specification ] | ||00891 R| | ||00892 R| -17 discussion version | ||00893 R| | ||00894 R| o Moved Terminology section out of Introductio | ||00895 R| independent section and added several termin | ||00896 R| | ||00897 R| o Deleted the "operation" parameter | ||00898 R| | ||00899 R| o Deleted the "rotate_secret" | ||00900 R| | ||00901 R| o Added Client Read Request (GET) | ||00902 R| | ||00903 R| o Added Client Delete Request (DELETE) | ||00904 R| | ||00905 R| o Added "Self URL" | ||00906 R| | ||00907 R| o Added "_links" | ||00908 R| | ||00909 R| o Added Editor's Notes | ||00910 R| | ||00911 R| o Changed the Japanese client name to make it | ||00912 R| | ||00913 R| o Added issued_at | ||00914 R| | ||00915 R| o Added client update example (that seems to b | ||00916 R| parameters that were present in the registra | ||00917 R| | ||00918 R| o Cleand up the indents 00770 | ||00919 | 00771 | -16 ||00920 | -16 00772 | ||00921 | 00773 | o Fixed #734 - Invalid JSON in examples. ||00922 | o Fixed #734 - Invalid JSON in examples. 00774 | ||00923 | 00775 | o Fixed #736 - Client Update Operation Respons||00924 | o Fixed #736 - Client Update Operation Respons 00776 | be removed from example. ||00925 | be removed from example. 00777 | ||00926 | 00778 | o Fixed #735 - Require expires_at value in Cli||00927 | o Fixed #735 - Require expires_at value in Cli 00779 | ||00928 | 00780 | o Added Security Considerations section about ||00929 | o Added Security Considerations section about 00781 | requirements and usage. ||00930 | requirements and usage. 00782 | ||00931 | 00783 | o State that when any validations fail, any op||00932 | o State that when any validations fail, any op 00784 | information that failed to correctly validat||00933 | information that failed to correctly validat 00785 | the information that failed to validate MUST||00934 | the information that failed to validate MUST 00786 | ||00935 | 00787 | -15 ||00936 | -15 00788 | ||00937 | 00789 | o Fixed #708 - Registration access token requi||00938 | o Fixed #708 - Registration access token requi 00790 | ||00939 | 00791 | -14 ||00940 | -14 00792 | ||00941 | 00793 | o Changed the syntax of some elements to match||00942 | o Changed the syntax of some elements to match 00794 | the OAuth Dynamic Client Registration draft.||00943 | the OAuth Dynamic Client Registration draft. 00795 | changed "type" to "operation", changed "asso||00944 | changed "type" to "operation", changed "asso 00796 | and changed "application_name" to "client_na||00945 | and changed "application_name" to "client_na 00797 | responses of "client_register" and "client_u||00946 | responses of "client_register" and "client_u 00798 | client information instead of just the Clien||00947 | client information instead of just the Clien 00799 | ||00948 | 00800 | o Added Implementation Considerations section.||00949 | o Added Implementation Considerations section. 00801 | ||00950 | 00802 | o Fixed #656 - Changed "token_endpoint_auth_ty||00951 | o Fixed #656 - Changed "token_endpoint_auth_ty 00803 | "token_endpoint_auth_method" and ||00952 | "token_endpoint_auth_method" and 00804 | "token_endpoint_auth_types_supported" to ||00953 | "token_endpoint_auth_types_supported" to 00805 | "token_endpoint_auth_methods_supported". ||00954 | "token_endpoint_auth_methods_supported". 00806 | ||00955 | 00807 | o Fixed #698 - Inconsistent use of articles. ||00956 | o Fixed #698 - Inconsistent use of articles. 00808 | ||00957 | 00809 | o Deleted "javascript_origin_uris", which is n||00958 | o Deleted "javascript_origin_uris", which is n 00810 | Session. ||00959 | Session. 00811 | ||00960 | 00812 | o Reference and provide note to implementers a||00961 | o Reference and provide note to implementers a 00813 | Client Registration Protocol [I-D.ietf-oauth||00962 | Client Registration Protocol [I-D.ietf-oauth 00814 | ||00963 | 00815 | o Changed token_endpoint_auth_method example r||00964 | o Changed token_endpoint_auth_method example r 00816 | "client_secret_basic client_secret_post" to ||00965 | "client_secret_basic client_secret_post" to 00817 | since the definition requires the value to b||00966 | since the definition requires the value to b 00818 | ||00967 | 00819 | -13 ||00968 | -13 00820 | ||00969 | 00821 | o Fixed #687 - Inconsistency between "user_id"||00970 | o Fixed #687 - Inconsistency between "user_id" 00822 | The fix changed these names: user_id -> sub,||00971 | The fix changed these names: user_id -> sub, 00823 | user_id_types_supported -> subject_types_sup||00972 | user_id_types_supported -> subject_types_sup 00824 | -> subject_type, and prn -> sub. ||00973 | -> subject_type, and prn -> sub. 00825 | ||00974 | 00826 | o Renamed "acrs_supported" to "acr_values_supp||00975 | o Renamed "acrs_supported" to "acr_values_supp 00827 | consistency. ||00976 | consistency. 00828 | ||00977 | 00829 | o Fixed #685 - The policy URL should be differ||00978 | o Fixed #685 - The policy URL should be differ 00830 | service URL. A new "tos_url" registration p||00979 | service URL. A new "tos_url" registration p 00831 | ||00980 | 00832 | o Clarified that "jwk_url" and "jwk_encryption||00981 | o Clarified that "jwk_url" and "jwk_encryption 00833 | documents containing JWK Sets - not single J||00982 | documents containing JWK Sets - not single J 00834 | ||00983 | 00835 | o Re #601 add initiate_login_uri for unsolicit||00984 | o Re #601 add initiate_login_uri for unsolicit 00836 | ||00985 | 00837 | -12 ||00986 | -12 00838 | ||00987 | 00839 | o Made application_type REQUIRED and added an ||00988 | o Made application_type REQUIRED and added an 00840 | redirect_uris registration ||00989 | redirect_uris registration 00841 | ||00990 | 00842 | o Section 2.1 clarification that updates repla||00991 | o Section 2.1 clarification that updates repla 00843 | previously set. ||00992 | previously set. 00844 | ||00993 | 00845 | o Section 2.3 add rotate_secret to invalid cli||00994 | o Section 2.3 add rotate_secret to invalid cli 00846 | ||00995 | 00847 | o Added registration_access_token for updating||00996 | o Added registration_access_token for updating 00848 | secret optional ||00997 | secret optional 00849 | ||00998 | 00850 | o added registration_access_token to example r||00999 | o added registration_access_token to example r 00851 | ||01000 | 00852 | o removed client_id from request as the client||01001 | o removed client_id from request as the client 00853 | access token for updates ||01002 | access token for updates 00854 | ||01003 | 00855 | o Changed redirect_uris from RECOMMENDED for c||01004 | o Changed redirect_uris from RECOMMENDED for c 00856 | implicit to REQUIRED ||01005 | implicit to REQUIRED 00857 | ||01006 | 00858 | o Changed 2.1 to only allow access_token as a ||01007 | o Changed 2.1 to only allow access_token as a 00859 | rotate_secret ||01008 | rotate_secret 00860 | ||01009 | 00861 | o Fixed reference in application_name and adde||01010 | o Fixed reference in application_name and adde 00862 | ja-Hani-JP encoded name. ||01011 | ja-Hani-JP encoded name. 00863 | ||01012 | 00864 | o Made application_type OPTIONAL with web as t||01013 | o Made application_type OPTIONAL with web as t 00865 | ||01014 | 00866 | o Fixes #642 - Registration separates applicat||01015 | o Fixes #642 - Registration separates applicat 00867 | bearer. ||01016 | bearer. 00868 | ||01017 | 00869 | o Updated references to OAuth and Bearer to re||01018 | o Updated references to OAuth and Bearer to re 00870 | ||01019 | 00871 | o Fix typo error_description ||01020 | o Fix typo error_description 00872 | ||01021 | 00873 | o Re #642 change error to error_code in 2.3 ex||01022 | o Re #642 change error to error_code in 2.3 ex 00874 | ||01023 | 00875 | o Fixed #614 - Discovery - 3.2 Distinguishing ||01024 | o Fixed #614 - Discovery - 3.2 Distinguishing 00876 | integrity parameters for HMAC algorithms. T||01025 | integrity parameters for HMAC algorithms. T 00877 | parameter changes made to the JWE spec in ||01026 | parameter changes made to the JWE spec in 00878 | draft-ietf-jose-json-web-encryption-06. It ||01027 | draft-ietf-jose-json-web-encryption-06. It 00879 | {userinfo,id_token}_encrypted_response_int. ||01028 | {userinfo,id_token}_encrypted_response_int. 00880 | parameters ||01029 | parameters 00881 | {userinfo,id_token,request_object,token_endp||01030 | {userinfo,id_token,request_object,token_endp 00882 | with {userinfo,id_token,request_object,token||01031 | with {userinfo,id_token,request_object,token 00883 | _values_supported and {userinfo,id_token,req||01032 | _values_supported and {userinfo,id_token,req 00884 | oint}_encryption_{alg,enc}_values_supported.||01033 | oint}_encryption_{alg,enc}_values_supported. 00885 | ||01034 | 00886 | o Fixed #673 - Registration 2.1: Rename ||01035 | o Fixed #673 - Registration 2.1: Rename 00887 | require_signed_request_object to request_obj||01036 | require_signed_request_object to request_obj 00888 | change was to rename require_signed_request_||01037 | change was to rename require_signed_request_ 00889 | request_object_signing_alg, following the na||01038 | request_object_signing_alg, following the na 00890 | in the resolution to issue #614. ||01039 | in the resolution to issue #614. 00891 | ||01040 | 00892 | o Fixed #666 - JWS signature validation vs. ve||01041 | o Fixed #666 - JWS signature validation vs. ve 00893 | ||01042 | 00894 | o Referenced OAuth 2.0 RFCs -- RFC 6749 and RF||01043 | o Referenced OAuth 2.0 RFCs -- RFC 6749 and RF 00895 | ||01044 | 00896 | o Fixed #674 - Description of require_auth_tim||01045 | o Fixed #674 - Description of require_auth_tim 00897 | ||01046 | 00898 | -11 ||01047 | -11 00899 | ||01048 | 00900 | o Made "rotate_secret" a separate registration||01049 | o Made "rotate_secret" a separate registration 00901 | client secret changing with every response, ||01050 | client secret changing with every response, 00902 | ||01051 | 00903 | o Changed default ID Token signing algorithm t||01052 | o Changed default ID Token signing algorithm t 00904 | #571 ||01053 | #571 00905 | ||01054 | 00906 | o Changed client.example.com to client.example||01055 | o Changed client.example.com to client.example 00907 | ||01056 | 00908 | o Added text for authz to the registration end||01057 | o Added text for authz to the registration end 00909 | ||01058 | 00910 | o Use standards track version of JSON Web Toke||01059 | o Use standards track version of JSON Web Toke 00911 | (draft-ietf-oauth-json-web-token) ||01060 | (draft-ietf-oauth-json-web-token) 00912 | ||01061 | 00913 | -10 ||01062 | -10 00914 | ||01063 | 00915 | o Split encrypted response configurations into||01064 | o Split encrypted response configurations into 00916 | for alg, enc, int ||01065 | for alg, enc, int 00917 | ||01066 | 00918 | o Removed extra "s" from signed response param||01067 | o Removed extra "s" from signed response param 00919 | ||01068 | 00920 | o Add reference to JWA ||01069 | o Add reference to JWA 00921 | ||01070 | 00922 | o Updated Notices ||01071 | o Updated Notices 00923 | ||01072 | 00924 | o Updated References ||01073 | o Updated References 00925 | ||01074 | 00926 | -09 ||01075 | -09 00927 | ||01076 | 00928 | o Removed erroneous spanx declarations from ex||01077 | o Removed erroneous spanx declarations from ex 00929 | ||01078 | 00930 | o Fixed example in Sec 2.2 to show expires_at ||01079 | o Fixed example in Sec 2.2 to show expires_at 00931 | ||01080 | 00932 | o Fixed Sec 2.1.1 to clarify it is the registr||01081 | o Fixed Sec 2.1.1 to clarify it is the registr 00933 | certificate check ||01082 | certificate check 00934 | ||01083 | 00935 | o Fixed Sec 2.1.1 example to include http port||01084 | o Fixed Sec 2.1.1 example to include http port 00936 | ||01085 | 00937 | o Fixed #542 Sec 2.1 userinfo_signed_response_||01086 | o Fixed #542 Sec 2.1 userinfo_signed_response_ 00938 | signature. Clarify response is signed. ||01087 | signature. Clarify response is signed. 00939 | ||01088 | 00940 | o Fixed Sec 2.1 userinfo_encrypted_response_al||01089 | o Fixed Sec 2.1 userinfo_encrypted_response_al 00941 | JWE containing JWT ||01090 | JWE containing JWT 00942 | ||01091 | 00943 | o Fixes #529 Sec 2.3 Clarify error response is||01092 | o Fixes #529 Sec 2.3 Clarify error response is 00944 | example ||01093 | example 00945 | ||01094 | 00946 | o Add default_max_age registration parameter ||01095 | o Add default_max_age registration parameter 00947 | ||01096 | 00948 | o Add default_acr registration parameter ||01097 | o Add default_acr registration parameter 00949 | ||01098 | 00950 | o Add require_auth_time registration parameter||01099 | o Add require_auth_time registration parameter 00951 | ||01100 | 00952 | -08 ||01101 | -08 00953 | ||01102 | 00954 | o Replaced token_endpoint with a defined term ||01103 | o Replaced token_endpoint with a defined term 00955 | 2.0] ||01104 | 2.0] 00956 | ||01105 | 00957 | o Added policy_url parameter ||01106 | o Added policy_url parameter 00958 | ||01107 | 00959 | o Renamed expires_in but expires_at ||01108 | o Renamed expires_in but expires_at 00960 | ||01109 | 00961 | o Registration Endpoint can be OAuth Protected||01110 | o Registration Endpoint can be OAuth Protected 00962 | ||01111 | 00963 | o Added parameters for requiring encryption an||01112 | o Added parameters for requiring encryption an 00964 | Request Object, UserInfo and ID Token ||01113 | Request Object, UserInfo and ID Token 00965 | ||01114 | 00966 | o Added token_endpoint_auth_type and list of v||01115 | o Added token_endpoint_auth_type and list of v 00967 | types ||01116 | types 00968 | ||01117 | 00969 | o Added JWK and X509 URLs for signature and en||01118 | o Added JWK and X509 URLs for signature and en 00970 | ||01119 | 00971 | o Added user_id_type ||01120 | o Added user_id_type 00972 | ||01121 | 00973 | o Changed sector_identifier to sector_identifi||01122 | o Changed sector_identifier to sector_identifi 00974 | verification ||01123 | verification 00975 | ||01124 | 00976 | o Use RFC 6125 to verify TLS endpoints ||01125 | o Use RFC 6125 to verify TLS endpoints 00977 | ||01126 | 00978 | o Changed 'contact' to 'contacts', 'redirect_u||01127 | o Changed 'contact' to 'contacts', 'redirect_u 00979 | ||01128 | 00980 | o Changed redirect_uris to RECOMMENDED for cod||01129 | o Changed redirect_uris to RECOMMENDED for cod 00981 | for implicit flow Clients ||01130 | for implicit flow Clients 00982 | ||01131 | 00983 | o Removed js_origin_uri ||01132 | o Removed js_origin_uri 00984 | ||01133 | 00985 | o Added section about string comparison rules ||01134 | o Added section about string comparison rules 00986 | ||01135 | 00987 | o Clarified redirect_uris matching ||01136 | o Clarified redirect_uris matching 00988 | ||01137 | 00989 | o Update John Bradley email and affiliation fo||01138 | o Update John Bradley email and affiliation fo 00990 | ||01139 | 00991 | -07 ||01140 | -07 00992 | ||01141 | 00993 | o Changed request from posting a JSON object t||01142 | o Changed request from posting a JSON object t 00994 | encoded. ||01143 | encoded. 00995 | ||01144 | 00996 | o Added x509_url to support optional encryptio||01145 | o Added x509_url to support optional encryptio 00997 | ||01146 | 00998 | -06 ||01147 | -06 00999 | ||01148 | 01000 | o Changes associated with renaming "Lite" to "||01149 | o Changes associated with renaming "Lite" to " 01001 | replacing "Core" and "Framework" with "Messa||01150 | replacing "Core" and "Framework" with "Messa 01002 | ||01151 | 01003 | o Numerous cleanups, including updating refere||01152 | o Numerous cleanups, including updating refere 01004 | ||01153 | 01005 | -05 ||01154 | -05 01006 | ||01155 | 01007 | o Changed "redirect_url" to "redirect_uri" and||01156 | o Changed "redirect_url" to "redirect_uri" and 01008 | "js_origin_uri". ||01157 | "js_origin_uri". 01009 | ||01158 | 01010 | -04 ||01159 | -04 01011 | ||01160 | 01012 | o Correct issues raised by Johnny Bufu and dis||01161 | o Correct issues raised by Johnny Bufu and dis 01013 | working group call. ||01162 | working group call. 01014 | ||01163 | 01015 | -03 ||01164 | -03 01016 | ||01165 | 01017 | o Incorporate working group decisions from 5-J||01166 | o Incorporate working group decisions from 5-J 01018 | ||01167 | 01019 | o Consistency and cleanup pass, including remo||01168 | o Consistency and cleanup pass, including remo 01020 | references. ||01169 | references. 01021 | ||01170 | 01022 | -02 ||01171 | -02 01023 | ||01172 | 01024 | o Incorporate working group decisions from 23-||01173 | o Incorporate working group decisions from 23- 01025 | ||01174 | 01026 | -01 ||01175 | -01 01027 | ||01176 | 01028 | o Initial version. ||01177 | o Initial version. 01029 | ||01178 | 01030 | ||01179 | 01031 |Authors' Addresses ||01180 |Authors' Addresses 01032 | ||01181 | 01033 | Nat Sakimura ||01182 | Nat Sakimura 01034 | Nomura Research Institute, Ltd. ||01183 | Nomura Research Institute, Ltd. 01035 | ||01184 | 01036 | Email: n-sakimura@nri.co.jp ||01185 | Email: n-sakimura@nri.co.jp 01037 | ||01186 | 01038 | ||01187 | 01039 | John Bradley ||01188 | John Bradley 01040 | Ping Identity ||01189 | Ping Identity 01041 | ||01190 | 01042 | Email: ve7jtb@ve7jtb.com ||01191 | Email: ve7jtb@ve7jtb.com 01043 | ||01192 | 01044 | ||01193 | 01045 | Michael B. Jones ||01194 | Michael B. Jones 01046 | Microsoft ||01195 | Microsoft 01047 | ||01196 | 01048 | Email: mbj@microsoft.com ||01197 | Email: mbj@microsoft.com 01049 | ||01198 |