Nomura Research Institute, Ltd.

n-sakimura@nri.co.jp

Ping Identity

ve7jtb@ve7jtb.com

Microsoft

mbj@microsoft.com

Google

breno@google.com

Salesforce

cmortimore@salesforce.com

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. OpenID Connect Basic Client Profile 1.0 is a profile of the OpenID Connect Messages 1.0 and OpenID Connect Standard 1.0 specifications that is designed to be easy to read and implement for basic Web-based Relying Parties using the OAuth authorization_code grant type. This specification intentionally duplicates content from the Messages and Standard specifications to provide a self-contained implementation profile for basic Web-based Relying Parties using the OAuth authorization_code grant type. OpenID Providers and non Web-based applications should instead consult the Messages and Standard specifications.

OpenID Connect Basic Client Profile 1.0 is a profile of the OpenID Connect Messages 1.0 and OpenID Connect Standard 1.0 specifications that is designed to be easy to read and implement for basic Web-based Relying Parties using the OAuth authorization_code grant type. This specification intentionally duplicates content from the Messages and Standard specifications to provide a self-contained implementation profile for basic Web-based Relying Parties using the OAuth authorization_code grant type. See the OpenID Connect Implicit Client Profile 1.0 specification for a related profile for basic Web-based Relying Parties using the OAuth implicit grant type. OpenID Providers and non Web-based applications should instead consult the Messages and Standard specifications. This profile omits implementation and security considerations for OpenID Providers and non Web-based applications.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in . Throughout this document, values are quoted to indicate that they are to be taken literally. When using these values in protocol messages, the quotes MUST NOT be used as part of the value. When the RFC 2119 language applies to the behavior of OpenID Providers, it is in this specification for explanatory value to help Client implementers understand the expected behavior of OpenID Providers.

This specification uses the terms "Access Token", "Refresh Token", "Authorization Code", "Authorization Grant", "Authorization Server", "Authorization Endpoint", "Client", "Client Identifier", "Client Secret", "Protected Resource", "Resource Owner", "Resource Server", and "Token Endpoint" defined by OAuth 2.0. This specification also defines the following terms: Application requiring Claims from an OpenID Provider. Service capable of providing Claims to a Relying Party. Piece of information about an Entity that a Claims Provider asserts about that Entity. Server that can return Claims about an Entity. Human Resource Owner. Something that has a separate and distinct existence and that can be identified in a context. An End-User is one example of an Entity. Information that (a) can be used to identify the natural person to whom such information relates, or (b) is or might be directly or indirectly linked to a natural person to whom such information relates. Identifier that identifies the Entity to a Relying Party that cannot be correlated with the Entity's PPID at another Relying Party. JSON Web Token (JWT) that contains Claims about the authentication event. Entity that issues a set of Claims. URL using the https scheme that acts as a verifiable identifier for an Issuer. Protected resource that, when presented with an Access Token by the Client, returns authorized information about the End-User represented by the corresponding Authorization Grant. Claim specified by the Client as being useful but not essential for the specific task requested by the End-User.

Authorization Requests can follow one of two paths; the Implicit Flow or the Authorization Code Flow. The Authorization Code Flow is suitable for Clients that can securely maintain a Client Secret between themselves and the Authorization Server whereas, the Implicit Flow is suitable for Clients that cannot. This specification only provides information that is sufficient for basic Clients using the Code Flow.

The Code Flow consists of the following steps: Client prepares an Authorization Request containing the desired request parameters. Client sends a request to the Authorization Server. Authorization Server authenticates the End-User. Authorization Server obtains the End-User Consent/Authorization. Authorization Server sends the End-User back to the Client with code. Client sends the code to the Token Endpoint to receive an Access Token and ID Token in the response.

When the Client wishes to access a Protected Resource and the End-User Authorization has not yet been obtained, the Client prepares an Authorization Request to the Authorization Endpoint. Communication with the Authorization Endpoint MUST utilize TLS. See for more information on using TLS. Clients MAY construct the request using the HTTP GET or the HTTP POST method as defined in RFC 2616. If using the HTTP GET method, the parameters are serialized using Query String Serialization. If using the HTTP POST method, the request parameters are added to the HTTP request entity-body using the application/x-www-form-urlencoded format as defined by .

The following is a non-normative example of an Authorization Request URL (with line wraps for display purposes only):

This profile of OpenID Connect uses the following OAuth 2.0 request parameters: REQUIRED. This value MUST be code. This requests that both an Access Token and an ID Token be returned from the Token Endpoint in exchange to code. REQUIRED. OAuth 2.0 Client Identifier. REQUIRED. Space delimited, case sensitive list of ASCII OAuth 2.0 scope values. OpenID Connect requests MUST contain the openid scope value. OPTIONAL scope values of profile, email, address, phone, and offline_access are also defined. See for more about the scope values defined by this specification. REQUIRED. Redirection URI to which the response will be sent. This MUST be pre-registered with the OpenID Provider. If the Client only uses the OAuth authorization_code grant type, the redirection URI MAY use the http scheme, provided that the Client Type is confidential, as defined in Section 2.1 of OAuth 2.0. RECOMMENDED. Opaque value used to maintain state between the request and the callback; serves as a protection against XSRF attacks. This specification also defines the following request parameters: OPTIONAL. String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authorization Request to the ID Token. Use of the nonce is OPTIONAL when using the code flow. OPTIONAL. ASCII string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User. The defined values are: The Authorization Server SHOULD display authentication and consent UI consistent with a full User-Agent page view. If the display parameter is not specified this is the default display mode. The Authorization Server SHOULD display authentication and consent UI consistent with a popup User-Agent window. The popup User-Agent window SHOULD be 450 pixels wide and 500 pixels tall. The Authorization Server SHOULD display authentication and consent UI consistent with a device that leverages a touch interface. The Authorization Server MAY attempt to detect the touch device and further customize the interface. The Authorization Server SHOULD display authentication and consent UI consistent with a "feature phone" type display. OPTIONAL. Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent. The defined values are: The Authorization Server MUST NOT display any authentication or consent user interface pages. An error is returned if the End-User is not already authenticated or the Client does not have pre-configured consent for the requested Claims. This can be used as a method to check for existing authentication and/or consent. The Authorization Server MUST prompt the End-User for reauthentication. The Authorization Server MUST prompt the End-User for consent before returning information to the Client. The Authorization Server MUST prompt the End-User to select a user account. This allows a user who has multiple accounts at the Authorization Server to select amongst the multiple accounts that they may have current sessions for. The prompt parameter can be used by the Client to make sure that the End-User is still present for the current session or to bring attention to the request. If this parameter contains none with any other value, an error is returned. OPTIONAL. Maximum Authentication Age. Specifies that the End-User must be actively authenticated if the End-User was authenticated longer ago than the specified number of seconds. When max_age is used, the ID Token returned MUST include an auth_time Claim value. OPTIONAL. End-User's preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 language tag values, ordered by preference. For instance, the value "fr-CA fr-FR en-CA" represents a preference for French as spoken in Canada, then French as spoken in France, followed by English as spoken in Canada. An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider. OPTIONAL. End-User's preferred languages and scripts for Claims being returned, represented as a space-separated list of BCP47 language tag values, ordered by preference. An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider. OPTIONAL. Previously issued ID Token passed to the Authorization Server as a hint about the End-User's current or past authenticated session with the Client. This SHOULD be present when prompt=none is used. If the End-User identified by the ID Token is logged in or is logged in by the request, then the Authorization Server returns a positive response; otherwise, it SHOULD return a negative response. OPTIONAL. Hint to the Authorization Server about the login identifier the End-User may use to log in (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail address (or other identifier) and then wants to pass that value as a hint to the discovered authorization service. It is RECOMMENDED that the hint value match the value used for discovery. The use of this parameter is left to the OP's discretion. OPTIONAL. Requested Authentication Context Class Reference values. Space-separated string that specifies the acr values that the Authorization Server MUST use for processing requests from this Client. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim value, as specified in .

Having constructed the Authorization Request, the Client sends it to the Authorization Endpoint using HTTPS.

Following is a non-normative example using HTTP redirect (with line wraps for display purposes only):

The Authorization Server authenticates the resource owner to make sure that consent is obtained from the right party. If interaction with the End-User occurs over an HTTP channel, it MUST use TLS, as per . The exact authentication methods used are out of scope for this specification.

The Authorization Server obtains an authorization decision for the requested Claims. This can done by presenting the End-User with a dialogue that allows the End-User to recognize what he is consenting to and obtain his consent or by establishing consent via other means (for example, via previous administrative consent). The openid scope value declares that this OAuth 2.0 request is an OpenID Connect request. Use of all other scope values is OPTIONAL.

Once the authorization is determined, the Authorization Server returns a successful response or an error response.

If the Resource Owner grants the access request, the Authorization Server issues a code and delivers it to the Client by adding the following query parameters to the query component of the redirection URI using the application/x-www-form-urlencoded format as defined in Section 4.1.2 of OAuth 2.0. REQUIRED. OAuth 2.0 Authorization Code. OAuth 2.0 state value. REQUIRED if the state parameter is present in the Client Authorization Request. Clients MUST verify that the state value is equal to the exact value of state parameter in the Authorization Request.

The following is a non-normative example (with line wraps for the display purposes only):

If the End-User denies the authorization or the End-User authentication fails, the Authorization Server MUST return the error Authorization Response as defined in 4.1.2.1 of OAuth 2.0. No other parameters SHOULD be returned.

The Client then makes an Access Token Request using the Authorization Code to obtain tokens from the Token Endpoint in the following manner:

The Client makes a request to the Token Endpoint using form serialization as described in Section 4.1.3 of OAuth 2.0. The Client authenticates itself by communicating its form-urlencoded Client Credentials in an Authorization header using the HTTP Basic method, as described in 2.3.1 of OAuth 2.0. (This method is the one identified by using the client_secret_basic authentication method value in OpenID Connect Discovery 1.0). Communication with the Token Endpoint MUST utilize TLS. See for more information on using TLS.

The following is a non-normative example of such a Token Request (with line wraps for the display purposes only):

The Client receives a response with the following parameters as described in Section 4.1.4 of OAuth 2.0. The response should be encoded using UTF-8. REQUIRED. Access Token for the UserInfo Endpoint. REQUIRED. OAuth 2.0 Token Type value. The value MUST be Bearer or another token_type value that the Client has negotiated with the Authorization Server. Clients implementing this profile MUST support the OAuth 2.0 Bearer Token Usage specification. This profile only describes the use of bearer tokens. REQUIRED. ID Token. OPTIONAL. Expiration time of the Access Token in seconds since the response was generated. OPTIONAL. Refresh Token. The Client can then use the Access Token to access protected resources at Resource Servers.

The following is a non-normative example (with line wraps for the display purposes only):

The ID Token is a security token that contains Claims about the authentication event and other requested Claims. The ID Token is represented as a JSON Web Token (JWT). The ID Token is used to manage the authentication event and user identifier and is scoped to a particular Client via the aud (audience) Claim. The following Claims are used within the ID Token: REQUIRED. Issuer Identifier for the Issuer of the response. REQUIRED. Subject identifier. A locally unique and never reassigned identifier within the Issuer for the End-User, which is intended to be consumed by the Client. e.g. 24400320 or AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4. It MUST NOT exceed 255 ASCII characters in length. REQUIRED. Audience that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Client. OPTIONAL. Authorized Presenter. This member identifies an OAuth 2.0 Client authorized to use this ID Token as an OAuth Access Token. It MUST contain the client_id of the Authorized Presenter. This Claim is only needed when the party requesting the ID Token is not the same as the audience of the ID Token. REQUIRED. Expiration time on or after which the ID Token MUST NOT be accepted for processing. The processing of this parameter requires that the current date/time MUST be before the expiration date/time listed in the value. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. The value is the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the desired date/time. See RFC 3339 for details regarding date/times in general and UTC in particular. REQUIRED. Time at which the JWT was issued. The value is the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the desired date/time. See RFC 3339 for details regarding date/times in general and UTC in particular. OPTIONAL or REQUIRED. Time when the End-User authentication occurred, specified as the number of seconds since 1970-01-01T0:0:0Z as measured in UTC. When a max_age request is made then this Claim is REQUIRED. OPTIONAL. Authentication Context Class Reference. String specifying an Authentication Context Class Reference value that identifies the Authentication Context Class that the authentication performed satisfied. The value "0" indicates the End-User authentication did not meet the requirements of ISO/IEC 29115 level 1. Authentication using a long-lived browser cookie, for instance, is one example where the use of "level 0" is appropriate. Authentications with level 0 should never be used to authorize access to any resource of any monetary value. An absolute URI or a registered name MAY be used as an acr value. OPTIONAL. Authentication Methods References. JSON array of strings that are identifiers for authentication methods used in the authentication. For instance, values might indicate that both password and OTP authentication methods were used. The definition of particular values to be used in the amr Claim is beyond the scope of this specification. The JWT MAY contain other Claims that are understood by all parties using it.

The following is a non-normative example of a base64url decoded ID Token (with line wraps for display purposes only):

If any of the validation procedures defined in this specification fail, any operations requiring the information that failed to correctly validate MUST be aborted and the information that failed to validate MUST NOT be used. The Client MUST validate the ID Token in the Token Response. To do this, the Client can split the id_token at the period (".") characters, take the second segment, and base64url decode it to obtain a JSON object containing the ID Token Claims, which MUST be validated as follows: The Client MUST validate that the iss (issuer) Claim is valid for the Token Endpoint that the id_token was received from. The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience. The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client. The current time MUST be less than the value of the exp Claim (possibly allowing for some small leeway to account for clock skew). The iat Claim can be used to reject tokens that were issued too far away from the current time, limiting the amount of time that nonces must be stored to prevent attacks. The acceptable range is Client specific. If the acr Claim was requested, the Client SHOULD check that the asserted Claim Value is appropriate. The meaning and processing of acr Claim Values is out of scope for this specification. When a max_age request is made, the Client SHOULD check the auth_time Claim value and request re-authentication if it determines too much time has elapsed since the last End-User authentication.

The UserInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the authenticated End-User. Claims are represented by a JSON object that contains a collection of name and value pairs for the Claims. Communication with the UserInfo Endpoint MUST utilize TLS. See for more information on using TLS.

Clients send requests to the UserInfo Endpoint to obtain Claims about the End-User. The UserInfo Endpoint is an OAuth 2.0 Protected Resource that complies with the OAuth 2.0 Bearer Token Usage specification. The Access Token SHOULD be sent using the Authorization header field. The following parameters are defined for use in UserInfo Requests: REQUIRED. Access Token obtained from an OpenID Connect Authorization Request. This parameter MUST only be sent using one method using either the Authorization header field or a form-encoded POST body parameter. REQUIRED. Schema in which the data is to be returned. The only defined schema value is openid. This identifier is reserved. It MUST be ignored by the endpoint when the openid schema is used.

The following is a non-normative example of a UserInfo Request:

If the requested schema is openid, the UserInfo Claims MUST be returned as the members of a JSON object. The response body SHOULD be encoded using UTF-8. The Claims defined in can be returned, as can additional Claims not specified there. If a Claim is not returned, that Claim Name SHOULD be omitted from the JSON object representing the Claims; it SHOULD NOT be present with a null or empty string value. The sub (subject) Claim MUST always be returned in the UserInfo Response. NOTE: The UserInfo Endpoint response is not guaranteed to be about the End-User identified by the sub (subject) element of the ID Token. The sub Claim in the UserInfo Endpoint response MUST be verified to exactly match the sub Claim in the ID Token before using additional UserInfo Endpoint Claims.

When an error condition occurs, the UserInfo Endpoint returns an Error Response as defined in Section 3 of OAuth 2.0 Bearer Token Usage. In addition to the error codes defined in Section 3.1 of OAuth 2.0 Bearer Token Usage, this specification defines the following error codes: The requested schema is invalid or unsupported.

OpenID Connect Clients use scope values as defined in 3.3 of OAuth 2.0 to specify what access privileges are being requested for Access Tokens. The scopes associated with Access Tokens determine what resources will be available when they are used to access OAuth 2.0 protected endpoints. For OpenID Connect, scopes can be used to request that specific sets of information be made available as Claim values. OAuth 2.0 allows additional scope values to be specified, as extensions. This specification describes only the scope values used by OpenID Connect. Claims requested by the following scopes are treated by Authorization Servers as Voluntary Claims. OpenID Connect defines the following scope values: REQUIRED. Informs the Authorization Server that the Client is making an OpenID Connect request. If the openid scope value is not present, the behavior is entirely unspecified. OPTIONAL. This scope value requests access to the End-User's default profile Claims. These Claims are: name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_time. OPTIONAL. This scope value requests access to the email and email_verified Claims. OPTIONAL. This scope value requests access to the address Claim. OPTIONAL. This scope value requests access to the phone_number Claim. OPTIONAL. This scope value requests that an OAuth 2.0 Refresh Token be issued that can be used to obtain an Access Token that grants access to the End-User's UserInfo Endpoint even when the user is not present (not logged in). Multiple scope values MAY be used by creating a space delimited, case sensitive list of ASCII scope values. The Claims requested by the profile, email, address, and phone scope values are returned from the UserInfo Endpoint, as described in . In some cases, the End-User will be given the option to have the OpenID Provider decline to provide some or all information requested by Clients. To minimize the amount of information that the user is being asked to disclose, a Client may elect to only request a subset of the information available from the UserInfo Endpoint.

The following is a non-normative example of a scope Request.

This profile defines a set of standard Claims. They are returned in the UserInfo Response. Member Type Description sub string Subject - Identifier for the End-User at the Issuer. name string End-User's full name in displayable form including all name parts, ordered according to End-User's locale and preferences. given_name string Given name or first name of the End-User. family_name string Surname or last name of the End-User. middle_name string Middle name of the End-User. nickname string Casual name of the End-User that may or may not be the same as the given_name. For instance, a nickname value of Mike might be returned alongside a given_name value of Michael. preferred_username string Shorthand name that the End-User wishes to be referred to at the RP, such as janedoe or j.doe. This value MAY be any valid JSON string including special characters such as @, /, or whitespace. This value MUST NOT be relied upon to be unique by the RP. (See .) profile string URL of the End-User's profile page. picture string URL of the End-User's profile picture. website string URL of the End-User's web page or blog. email string End-User's preferred e-mail address. This value MUST NOT be relied upon to be unique by the RP. (See .) email_verified boolean True if the End-User's e-mail address has been verified; otherwise false. gender string End-User's gender. Values defined by this specification are female and male. Other values MAY be used when neither of the defined values are applicable. birthdate string End-User's birthday, represented as an ISO 8601:2004 YYYY-MM-DD format. The year MAY be 0000, indicating that it is omitted. To represent only the year, YYYY format is allowed. Note that depending on the underlying platform's date related function, providing just year may result in varying month and day, so the implementers should take this factor into account to correctly process the dates. zoneinfo string String from zoneinfo time zone database representing the End-User's time zone. For example, Europe/Paris or America/Los_Angeles. locale string End-User's locale, represented as a BCP47 language tag. This is typically an ISO 639-1 Alpha-2 language code in lowercase and an ISO 3166-1 Alpha-2 country code in uppercase, separated by a dash. For example, en-US or fr-CA. As a compatibility note, some implementations have used an underscore as the separator rather than a dash, for example, en_US; Implementations MAY choose to accept this locale syntax as well. phone_number string End-User's preferred telephone number. E.164 is RECOMMENDED as the format of this Claim. For example, +1 (425) 555-1212 or +56 (2) 687 2400. address JSON object End-User's preferred address. The value of the address member is a JSON structure containing some or all of the members defined in . updated_time string Time the End-User's information was last updated, represented as a RFC 3339 datetime. For example, 2011-01-03T23:58:42+0000.

Following is a non-normative example of such a response:

The UserInfo Endpoint MUST return Claims in JSON format unless a different format was specified during Registration . The UserInfo Endpoint MUST return a content-type header to indicate which format is being returned. The following are accepted content types: Content-Type Format Returned application/json plain text JSON object application/jwt JSON Web Token (JWT)

The components of a physical mailing address. Implementations MAY return only a subset of the fields of an address, depending upon the information available and the End-User's privacy preferences. For example, the country and region might be returned without returning more fine-grained address information. Implementations MAY return just the full address as a single string in the formatted sub-field, or they MAY return just the individual component fields using the other sub-fields, or they MAY return both. If both variants are returned, they SHOULD be describing the same address, with the formatted address indicating how the component fields SHOULD be combined. Full mailing address, formatted for display or use with a mailing label. This field MAY contain newlines. This is the Primary Sub-Field for this field, for the purposes of sorting and filtering. Full street address component, which may include house number, street name, PO BOX, and multi-line extended street address information. This field MAY contain newlines. City or locality component. State, province, prefecture or region component. Zip code or postal code component. Country name component.

Claims MAY be represented in multiple languages and scripts. To specify the languages and scripts, BCP47 language tags are added to member names, delimited by a # character. For example, family_name#ja-Kana-JP expresses the Family Name in Katakana in Japanese, which is commonly used to index and represent the phonetics of the Kanji representation of the same represented as family_name#ja-Hani-JP. A claims_locales request can be used to specify the preferred languages and scripts to use for the returned Claims.

The sub (subject) Claim is the only Claim that a Client can rely upon to be stable, since the sub Claim MUST be locally unique and never reassigned within the Issuer for a particular End-User, as described in . Therefore, the only guaranteed unique identifier for a given End-User is a combination of the Issuer's identifier and the sub Claim; other fields such as preferred_username and email MUST NOT be used as unique identifiers for a given End-User. All other Claims carry no such guarantees across different issuers in terms of stability over time or uniqueness across users, and Issuers are permitted to apply local restrictions and policies. For instance, an Issuer MAY re-use a given preferred_username or email address Claim across different End-Users at different points in time, and the claimed preferred_username or email address for a given End-User MAY change over time.

A request message MAY be serialized using one of the following methods: Query String Serialization Form Serialization

In order to serialize the parameters using the query string serialization, the Client constructs the string by adding the parameters and values to the query component using the application/x-www-form-urlencoded format as defined by . Query string serialization is typically used in HTTP GET requests.

Following is a non-normative example of such serialization:

Parameters and their values are form serialized by adding the parameter names and values to the entity body of the HTTP request using the application/x-www-form-urlencoded format as defined by . Form serialization is typically used in HTTP POST requests.

Following is a non-normative example of such serialization:

Processing some OpenID Connect messages requires comparing values in the messages to known values. For example, the Claim Names returned by the UserInfo Endpoint might be compared to specific Claim Names such as sub. Comparing Unicode strings, however, has significant security implications. Therefore, comparisons between JSON strings and other Unicode strings MUST be performed as specified below: Remove any JSON applied escaping to produce an array of Unicode code points. Unicode Normalization MUST NOT be applied at any point to either the JSON string or to the string it is to be compared against. Comparisons between the two strings MUST be performed as a Unicode code point to code point equality comparison. In several places, this specification uses space delimited lists of strings. In all such cases, only the ASCII space character (0x20) MAY be used for this purpose.

Whenever Transport Layer Security (TLS) is used by this specification, the appropriate version (or versions) of TLS will vary over time, based on the widespread deployment and known security vulnerabilities. At the time of this writing, TLS version 1.2 is the most recent version, but has a very limited deployment base and might not be readily available for implementation. TLS version 1.0 is the most widely deployed version and will provide the broadest interoperability.

This specification defines features used by Relying Parties using the OAuth authorization_code grant type. These Relying Parties MUST implement the features that are listed in this specification as being "REQUIRED" or are described with a "MUST".

Some OpenID Connect installations can use a pre-configured set of OpenID Providers and/or Relying Parties. In those cases, it may not be necessary to support dynamic discovery of information about identities or services or dynamic registration of Clients. However, if installations choose to support unanticipated interactions between Relying Parties and OpenID Providers that do not have pre-configured relationships, they SHOULD accomplish this by implementing the facilities defined in the OpenID Connect Discovery 1.0 and OpenID Connect Dynamic Client Registration 1.0 specifications.

For security considerations other than those listed below, refer to the OpenID Connect Messages 1.0 and OpenID Connect Standard 1.0 specifications.

Implementations MUST support TLS. Which version(s) ought to be implemented will vary over time, and depend on the widespread deployment and known security vulnerabilities at the time of implementation. At the time of this writing, TLS version 1.2 is the most recent version, but has very limited actual deployment, and might not be readily available in implementation toolkits. TLS version 1.0 is the most widely deployed version, and will give the broadest interoperability. To protect against information disclosure and tampering, confidentiality protection MUST be applied using TLS with a ciphersuite that provides confidentiality and integrity protection. Whenever TLS is used, a TLS server certificate check MUST be performed, per RFC 6125.

The UserInfo Response typically contains Personally Identifiable Information (PII). As such, End-User consent for the release of the information for the specified purpose SHOULD be obtained at or prior to the authorization time in accordance with relevant regulations. The purpose of use is typically registered in association with the redirect_uri. Only necessary UserInfo data SHOULD be stored at the Client and the Client SHOULD associate the received data with the purpose of use statement. The Resource Server SHOULD make the UserInfo access log available to the End-User so that the End-User can monitor who accessed his data. To protect the End-User from a possible correlation among Clients, the use of a Pairwise Pseudonymous Identifier (PPID) as the sub (subject) SHOULD be considered.

This document makes no requests of IANA.

markdavis@google.com

ken@unicode.org

International Organization for Standardization International Organization for Standardization International Organization for Standardization International Organization for Standardization International Telecommunication Union Public Domain Nomura Research Institute, Ltd. Ping Identity Microsoft Google Salesforce Illumila Nomura Research Institute, Ltd. Ping Identity Microsoft Google Salesforce Illumila Nomura Research Institute, Ltd. Ping Identiity Microsoft Illumila Nomura Research Institute, Ltd. Ping Identity Microsoft Microsoft Ping Identity Nomura Research Institute, Ltd. Nomura Research Institute, Ltd. Ping Identity Microsoft Google Salesforce Illumila

The OpenID Community would like to thank the following people for the work they've done in the drafting and editing of this specification. Naveen Agarwal (naa@google.com), Google Casper Biering (cb@peercraft.com), Peercraft John Bradley (ve7jtb@ve7jtb.com), Ping Identity Tim Bray (tbray@textuality.com), Google Johnny Bufu (jbufu@janrain.com), Janrain Breno de Medeiros (breno@gmail.com), Google Pamela Dingle (pdingle@pingidentity.com), Ping Identity George Fletcher (george.fletcher@corp.aol.com), AOL Roland Hedberg (roland.hedberg@adm.umu.se), Independent Ryo Ito (ryo.ito@mixi.co.jp), mixi, Inc. Edmund Jay (ejay@mgi1.com), Illumila Michael B. Jones (mbj@microsoft.com), Microsoft Nov Matake (nov@matake.jp), Independent Chuck Mortimore (cmortimore@salesforce.com), Salesforce Anthony Nadalin (tonynad@microsoft.com), Microsoft Hideki Nara (hideki.nara@gmail.com), Takt Communications Axel Nennker (axel.nennker@telekom.de), Deutsche Telekom Torsten Lodderstedt (t.lodderstedt@telekom.de), Deutsche Telekom David Recordon (dr@fb.com), Facebook Justin Richer (jricher@mitre.org), Mitre Nat Sakimura (n-sakimura@nri.co.jp), Nomura Research Institute, Ltd. Luke Shepard (lshepard@fb.com), Facebook Andreas Akre Solberg (andreas.solberg@uninett.no), UNINET Paul Tarjan (pt@fb.com), Facebook

Copyright (c) 2013 The OpenID Foundation. The OpenID Foundation (OIDF) grants to any Contributor, developer, implementer, or other interested party a non-exclusive, royalty free, worldwide copyright license to reproduce, prepare derivative works from, distribute, perform and display, this Implementers Draft or Final Specification solely for the purposes of (i) developing specifications, and (ii) implementing Implementers Drafts and Final Specifications based on such documents, provided that attribution be made to the OIDF as the source of the material, but that such attribution does not indicate an endorsement by the OIDF. The technology described in this specification was made available from contributions from various sources, including members of the OpenID Foundation and others. Although the OpenID Foundation has taken steps to help ensure that the technology is available for distribution, it takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this specification or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any independent effort to identify any such rights. The OpenID Foundation and the contributors to this specification make no (and hereby expressly disclaim any) warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to this specification, and the entire risk as to implementing this specification is assumed by the implementer. The OpenID Intellectual Property Rights policy requires contributors to offer a patent promise not to assert certain patent claims against other contributors and against implementers. The OpenID Foundation invites any interested party to bring to its attention any copyrights, patents, patent applications, or other proprietary rights that may cover technology that may be required to practice this specification.

[[ To be removed from the final specification ]] -24 Fixed #711 - Awkward phrase "The following Claims are REQUIRED and OPTIONAL". Fixed #712 - "azp" definition clarification. Fixed #713 - Explicitly require "sub" claim to be returned from UserInfo endpoint. Fixed #716 - Client/server 2119 blurriness. Fixed #732 - Capitalize name of "Bearer" authentication scheme. Fixed #738 - Behavior when "openid" scope is omitted. Added Security Considerations section about TLS version requirements and usage. Removed language about clients that do not support TLS. Also removed language about supporting other transport-layer mechanisms with equivalent security to TLS. State that when any validations fail, any operations requiring the information that failed to correctly validate MUST be aborted and the information that failed to validate MUST NOT be used. Added id_token_hint parameter to Basic, since it SHOULD be present when prompt=none is used. Fixed #742 - Added new ui_locales parameter. Fixed #743 - Added claims_locales parameter. Fixed #744 - Added max_age parameter. Fixed #765 - Added new acr_values parameter. Fixed #597 - Changed representation of omitted year in birthdate from 9999 to 0000. Fixed #726 - Client authentication clarifications. Clarified when the http scheme can and can not be used in redirect_uri values. Stated that the azp Claim is only needed when the party requesting the ID Token is different than the audience of the ID Token. Use legal acr values in examples. Fixed #789 - Added amr (authentication methods references) Claim. -23 Fixed #620 - Update Section 2.2.6.2. to allow for other token types, but make bearer mandatory to support for basic clients. Added Implementation Considerations section. Fixed #698 - Inconsistent use of articles. Added auth_time definition to ID Token schema. Fixed #655 - Specify UTF-8 as encoding scheme whenever necessary. -22 Fixed #687 - Inconsistency between user_id and prn claims. The fix changed these names: user_id -> sub, user_id_types_supported -> subject_types_supported, user_id_type -> subject_type, and prn -> sub. Fixed #689 - Track JWT change that allows JWTs to have multiple audiences. Fixed #660 - Clarified that returning the sub value from the UserInfo endpoint is mandatory. Fixed #636 - ID Token authorized party claim. Fixed #539 - Add scope for offline access. Fixed #689 - added caution about unrecognized audiences. Fixed #693 Added login_hint Updated scopes text. -21 added informative definition of nonce in 2.2.1 Clarified that the client MUST check that the issuer is valid for the token endpoint RE #607 add example decoded id_token for non self-issued. Fixed #666 - JWS signature validation vs. verification. Fixed #682 - Change remaining uses of "birthday" to "birthdate". Referenced OAuth 2.0 RFCs -- RFC 6749 and RFC 6750. -20 Added preferred_username claim under profile scope Added ID Token section to describe required claims Added section on claim stability -19 Fixed Section 2.2.5.1 to return code in a query parameter rather than a fragment Removed claims_in_id_token scope value, per decision on June 15, 2012 special working group call -18 Use "code" response_type instead of "token id_token" in Basic Profile, per issue #567 Changed verified to email_verified, per issue #564 Removed Check ID Endpoint, per issue #570 Removed requirement for ID Token signature validation from Basic Profile, per issue #568 Removed use of nonce from Basic Profile, per issue #569 Changed client.example.com to client.example.org, per issue #251 Added claims_in_id_token scope definition to Basic and Implicit, per issue #594 Use standards track version of JSON Web Token spec (draft-ietf-oauth-json-web-token) -17 Removed "embedded" display type, since its semantics were not well defined, per issue #514 Add hash and hash check of access_token and code to id_token, per issue #510 Add example JS code for client Updated Notices Updated References -16 Added iat as a required claim in ID Tokens Enumerated claims requested by the "profile" scope value Added text about implicit flow to Abstract -15 Removed definition and usage for assertion and claim object email scope allows access to the 'verified' claim Removed language pertaining to custom userinfo schemas Moved display=none to prompt=none Added additional 'display' parameter options Redefined 'nonce' in Authorization Request. Changed to REQUIRED parameter. Changed usage of "approval" to "consent" Use RFC 6125 to verify TLS endpoints Allow other gender strings in UserInfo schema ID Token MUST be JWT RECOMMENDED E.164 format for UserInfo 'phone_number' claim Changed UserInfo Error Response to augment and return OAuth 2.0 Bearer Token Error Response Check ID Endpoint SHOULD use POST Added section about string comparison rules needed Added Response Encoding according to Multiple Response Types spec Make openid scope provide user_id from userinfo endpoint Changed Security Considerations to refer to corresponding section in Standard Check ID Endpoint uses ID Token as Access Token according to Bearer Token spec Update John Bradley email and affiliation for Implementer's Draft Removed invalid_id_token error codes Replace queryString with postBody variable in example JS -14 Changed section 3.2.1 to refer to access_token ticket #134. Bumped version + date. Changed 7.4 in security considerations to show none is REQUIRED. Changed 3.2.4.1 User Info to UserInfo per Ticket #137. Changed formatting of 7.1 per ticket #140. -13 Changed check_session to check_id. schema=openid now required when requesting UserInfo. Removed issued_to, since not well defined. Removed display values popup, touch, and mobile, since not well defined. -12 Ticket #48 Changed Check Session to take the id_token as a parameter. -11 Renamed from "Lite" to "Basic Client". Numerous cleanups, including updating references. -10 Add back id_token to the response type per issue 27. Changed endpoint name in example from id_token to check_session. Added token_type to the response and explanations of the optional parameters. -09 Clean up typos. Clean up scope explanation. Fix 3.2.4.1 to include id_token in response. -08 Added note about OP needing to read the full spec. Reverted back to GET for introspection based on Google feedback. Changed scopes to openid, profile, address, and email to make them additive. Changed introspection to Check Session Endpoint to be consistent with session management. Changed validation rules, the Check session endpoint will return an error for expired or invalid tokens, so the Client doesn't need to check expiration. Added explanation of why an id_token is used to verify identity rather than the userinfo Access Token. -07 Changed introspection to post Changed userinfo from id to user_id to be consistent with introspection endpoint. Fixed introspection example to use id_token rather than access token. Removed asking for id_token in response type. Fixed Section 3 to be clear it is client secret that is maintained between the client and the OP. -06 Only require the token flow in Lite. Removed code flow. Make id_token required. The id_token is treated as opaque. Rearranged sections for readability. Dropped the schema parameter to the Introspection endpoint, which was formerly a string with the value user_id. This is unnecessary since the id_token parameter already can be used to disambiguate the intended uses(s) of the endpoint. Dropped the requested audience from the Lite spec, which was formerly the identifier of the target audience of the response. This could be part of the Standard spec, but is an advanced scenario, and so not appropriate for Lite. Reference the Discovery and Registration specs, since they're needed for interaction between non-pre-configured parties (so that OpenID Connect installations can be Open). -05 Corrected issues raised by Casper Biering. Created the OpenID Connect Lite specification. -04 Correct issues raised by Pam Dingle and discussed on the mailing list after the 7-Jul-11 working group call. Adopted long_names. -03 Correct issues raised by Johnny Bufu and discussed on the 7-Jul-11 working group call. -02 Consistency and cleanup pass, including removing unused references. -01 Initial draft