| TOC |
|
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
This specification only defines a special type of OP called Self Issued Provider. Self Issued Provider is a personal OP that typically runs on a deviced owned by the user. It could be used as a privacy proxy in some scenarios.
1.
Introduction
1.1.
Requirements Notation and Conventions
2.
Terminology
3.
Self-Issued OpenID Provider
3.1.
Self-Issued OpenID Provider Discovery
3.2.
Self-Issued OpenID Provider Registration
3.3.
Self-Issued OpenID Provider Request
3.4.
Self-Issued OpenID Provider Response
3.5.
Self-Issued ID Token Validation
4.
Security Considerations
5.
Privacy Considerations
6.
IANA Considerations
6.1.
OAuth Parameters Registry
7.
References
7.1.
Normative References
7.2.
Informative References
Appendix A.
Acknowledgements
Appendix B.
Notices
Appendix C.
Document History
§
Authors' Addresses
| TOC |
The OpenID Connect Messages 1.0 specification defines endpoints, associated messages, and message sequences that can be used to build an actual OpenID Connect identity protocol. OpenID Connect Standard 1.0 (Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., Mortimore, C., and E. Jay, “OpenID Connect Standard 1.0,” July 2013.) [OpenID.Standard] is such a protocol. It binds the OAuth 2.0 code and implicit flows to the elements defined by this specification to define an interoperable identity protocol over HTTPS. Similarly, one could use this specification to write bindings to other protocols such as IMAP or XMPP.
| TOC |
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.) [RFC2119].
Throughout this document, values are quoted to indicate that they are to be taken literally. When using these values in protocol messages, the quotes MUST NOT be used as part of the value.
All uses of JSON Web Signature (JWS) (Jones, M., Bradley, J., and N. Sakimura, “JSON Web Signature (JWS),” May 2013.) [JWS] and JSON Web Encryption (JWE) (Jones, M., Rescorla, E., and J. Hildebrand, “JSON Web Encryption (JWE),” May 2013.) [JWE] data structures in this specification utilize the JWS Compact Serialization or the JWE Compact Serialization; the JWS JSON Serialization and the JWE JSON Serialization are not used.
| TOC |
This specification strives to make itself readable without constantly referring to the term definitions. Defined terms are shown with its first letters capitalized. When in doubt, refer to OpenID Connect Messages 1.0 for the authoritative definition of the defined terms.
| TOC |
OpenID Connect supports Self-Issued OpenID Providers: personal OPs that issue self-signed ID Tokens. Self-Issued OPs use the special Issuer Identifier https://self-issued.me.
| TOC |
If the input identifier for the discovery process contains the domain self-issued.me, dynamic discovery is not performed. Instead, then the following static configuration values are used:
{
"authorization_endpoint":
"openid:",
"issuer":
"https://self-issued.me",
"scopes_supported":
["openid", "profile", "email", "address", "phone"],
"response_types_supported":
["id_token"],
"subject_types_supported":
["pairwise"],
"id_token_signing_alg_values_supported":
["RS256"],
"request_object_signing_alg_values_supported":
["none", "RS256"]
}
Note: The OpenID Foundation may consider hosting a site https://self-issued.me/ that returns the above static configuration file so that the Client would not need any special treatment for discovery of the Self-Issued OP.
| TOC |
When using a Self-Issued OP, the Client is deemed to have registered with the OP and obtained following Client Registration Response.
- client_id
- redirect_uri value of the Client.
- client_secret_expires_at
- 0
Note: The OpenID Foundation may consider hosting the (stateless) endpoint https://self-issued.me/registration/1.0/ that returns the response above so that the Client would not need to perform any special processing for registration of a Self-Issued OP.
| TOC |
The registration request parameter is used by the Client to provide information about itself to a Self-Issued OP that would normally be provided to an OP during Dynamic Client Registration. The value is a JSON object containing name/value pairs defined in Section 2.1 of the OpenID Connect Dynamic Client Registration 1.0 (Sakimura, N., Bradley, J., and M. Jones, “OpenID Connect Dynamic Client Registration 1.0,” July 2013.) [OpenID.Registration] specification. None of this information is REQUIRED by Self-Issued OPs, so the use of this parameter is OPTIONAL.
The registration parameter value is represented in an OAuth 2.0 request as UTF-8 encoded JSON (which ends up being form-urlencoded when passed as an OAuth parameter). When used in a Request Object value, per defined in OpenID Connect Messages, the JSON is used as the value of the registration member.
The Registration parameters that would typically be used in requests to Self-Issued OPs are policy_uri, tos_uri, and logo_uri. If the Client uses more than one redirection URI, the redirect_uris parameter would be used to register them. Finally, if the Client is requesting encrypted responses, it would use the jwks_uri, id_token_encrypted_response_alg and id_token_encrypted_response_enc parameters.
| TOC |
The Client sends the Authorization Request to the Authorization Endpoint with the following parameters:
- response_type
- REQUIRED. Constant string value id_token.
- client_id
- REQUIRED. Client ID value for the Client, which in this case contains the redirect_uri value of the Client. Since the Client's redirect_uri URI value is communicated as the Client ID, a redirect_uri parameter is NOT REQUIRED to also be included in the request.
- scope
- REQUIRED. scope parameter value, as specified in OpenID Connect UserInfo.
- id_token_hint
- OPTIONAL. Previously issued ID Token passed to the Authorization Server as a hint about the End-User's current or past authenticated session with the Client. This SHOULD be present when prompt=none is used. If the End-User identified by the ID Token is logged in or is logged in by the request, then the Authorization Server returns a positive response; otherwise, it SHOULD return a negative response.
- If the ID Token received by the RP is encrypted, the Client MUST decrypt the signed ID Token contained within the encrypted ID Token. The Client MAY re-encrypt the signed ID token to the Authentication Server using a key that enables the server to decrypt the ID Token. In this case, the sub (subject) of the signed ID Token MUST be sent as the kid (Key ID) of the JWE. Encrypting content to Self-Issued OPs is currently only supported when the OP's JWK key type is RSA and the encryption algorithm used is RSA1_5.
- claims
- OPTIONAL. This parameter is used to request that specific Claims be returned. The value is a JSON object, as specified in OpenID Connect Messages.
- registration
- OPTIONAL. This parameter is used by the Client to provide information about itself to a Self-Issued OP that would normally be provided to an OP during Dynamic Client Registration, as specified in Section 3.2.1 (Providing Additional Registration Information).
- request
- OPTIONAL. Request Object value, as specified in OpenID Connect Messages. The Request Object MAY be encrypted in a JWE by the Client. In this case, the sub (subject) of a previously issued ID Token for this Client MUST be sent as the kid (Key ID) of the JWE. Encrypting content to Self-Issued OPs is currently only supported when the OP's JWK key type is RSA and the encryption algorithm used is RSA1_5.
Other parameters MAY be sent. Note that all Claims are returned in the ID Token.
The entire URL MUST NOT exceed 2048 ASCII characters.
Following is a non-normative example (with line wraps within values for display purposes only):
HTTP/1.1 302 Found
Location: openid://
?response_type=id_token
&client_id=https%3A%2F%2Fclient.example.org%2Fcb
&scope=openid%20profile
&state=af0ifjsldkj
&nonce=n-0S6_WzA2Mj
registration=&%7B%22logo_uri%22%3A%22https%3A%2F%2F
client.example.org%2Flogo.png%22%7D
| TOC |
The Self-Issued OpenID Provider response is the same as the normal implicit flow response with the following refinements. Since it is an implicit flow response, the response parameters will be returned in the URL fragment component.
| TOC |
If any of the validation procedures defined in this specification fail, any operations requiring the information that failed to correctly validate MUST be aborted and the information that failed to validate MUST NOT be used.
To validate the ID Token in the Authorization or Token Endpoint Response, the Client MUST do the following:
The following is a non-normative example of a base64url decoded Self-Issued ID Token (with line wraps within values for display purposes only):
{
"iss": "https://self-issued.me",
"sub": "wBy8QvHbPzUnL0x63h13QqvUYcOur1X0cbQpPVRqX5k",
"aud": "https://client.example.org/cb",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"iat": 1311280970,
"sub_jwk": {
"kty":"RSA",
"n": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx
4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs
tn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2
QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI
SD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqb
w0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
"e":"AQAB"
}
}
| TOC |
For Security Considerations, refer to OpenID Connect Consolidated Security and Privacy Considerations document.
| TOC |
For Privacy Considerations, refer to OpenID Connect Consolidated Security and Privacy Considerations document.
| TOC |
| TOC |
This specification registers the following parameters in the IANA OAuth Parameters registry defined in RFC 6749 (Hardt, D., “The OAuth 2.0 Authorization Framework,” October 2012.) [RFC6749].
| TOC |
| TOC |
| TOC |
| TOC |
| [OpenID.2.0] | OpenID Foundation, “OpenID Authentication 2.0,” December 2007 (TXT, HTML). |
| [OpenID.Standard] | Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., Mortimore, C., and E. Jay, “OpenID Connect Standard 1.0,” July 2013. |
| [RFC4949] | Shirey, R., “Internet Security Glossary, Version 2,” RFC 4949, August 2007 (TXT). |
| TOC |
As a successor version of OpenID, this specification heavily relies on ideas explored in OpenID Authentication 2.0 (OpenID Foundation, “OpenID Authentication 2.0,” December 2007.) [OpenID.2.0]. Please refer to Appendix C of OpenID Authentication 2.0 for the full list of the contributors for that specification.
In addition, the OpenID Community would like to thank the following people for the work they have done in the drafting and editing of this specification.
Naveen Agarwal (naa@google.com), Google
Amanda Anganes (aanganes@mitre.org), Mitre
Casper Biering (cb@peercraft.com), Peercraft
John Bradley (ve7jtb@ve7jtb.com), Ping Identity
Tim Bray (tbray@textuality.com), Google
Johnny Bufu (jbufu@janrain.com), Janrain
Brian Campbell (bcampbell@pingidentity.com), Ping Identity
Breno de Medeiros (breno@gmail.com), Google
Pamela Dingle (pdingle@pingidentity.com), Ping Identity
Vladimir Dzhuvinov (vladimir@nimbusds.com), Nimbus Directory Services
George Fletcher (george.fletcher@corp.aol.com), AOL
Roland Hedberg (roland.hedberg@adm.umu.se), University of Umea
Ryo Ito (ryo.ito@mixi.co.jp), mixi, Inc.
Edmund Jay (ejay@mgi1.com), Illumila
Michael B. Jones (mbj@microsoft.com), Microsoft
Torsten Lodderstedt (t.lodderstedt@telekom.de), Deutsche Telekom
Nov Matake (nov@matake.jp), Independent
Chuck Mortimore (cmortimore@salesforce.com), Salesforce
Anthony Nadalin (tonynad@microsoft.com), Microsoft
Hideki Nara (hdknr@ic-tact.co.jp), Tact Communications
Axel Nennker (axel.nennker@telekom.de), Deutsche Telekom
David Recordon (dr@fb.com), Facebook
Justin Richer (jricher@mitre.org), Mitre
Nat Sakimura (n-sakimura@nri.co.jp), Nomura Research Institute, Ltd.
Luke Shepard (lshepard@fb.com), Facebook
Andreas Akre Solberg (andreas.solberg@uninett.no), UNINET
Paul Tarjan (pt@fb.com), Facebook
| TOC |
Copyright (c) 2013 The OpenID Foundation.
The OpenID Foundation (OIDF) grants to any Contributor, developer, implementer, or other interested party a non-exclusive, royalty free, worldwide copyright license to reproduce, prepare derivative works from, distribute, perform and display, this Implementers Draft or Final Specification solely for the purposes of (i) developing specifications, and (ii) implementing Implementers Drafts and Final Specifications based on such documents, provided that attribution be made to the OIDF as the source of the material, but that such attribution does not indicate an endorsement by the OIDF.
The technology described in this specification was made available from contributions from various sources, including members of the OpenID Foundation and others. Although the OpenID Foundation has taken steps to help ensure that the technology is available for distribution, it takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this specification or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any independent effort to identify any such rights. The OpenID Foundation and the contributors to this specification make no (and hereby expressly disclaim any) warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to this specification, and the entire risk as to implementing this specification is assumed by the implementer. The OpenID Intellectual Property Rights policy requires contributors to offer a patent promise not to assert certain patent claims against other contributors and against implementers. The OpenID Foundation invites any interested party to bring to its attention any copyrights, patents, patent applications, or other proprietary rights that may cover technology that may be required to practice this specification.
| TOC |
-00
Initial refactored version
| TOC |
| Nat Sakimura | |
| Nomura Research Institute, Ltd. | |
| Email: | n-sakimura@nri.co.jp |
| John Bradley | |
| Ping Identity | |
| Email: | ve7jtb@ve7jtb.com |
| Michael B. Jones | |
| Microsoft | |
| Email: | mbj@microsoft.com |
| Breno de Medeiros | |
| Email: | breno@google.com |
| Chuck Mortimore | |
| Salesforce | |
| Email: | cmortimore@salesforce.com |
| Edmund Jay | |
| Illumila | |
| Email: | ejay@mgi1.com |