| TOC |
|
OpenID Connect is an identity framework that provides authentication, authorization, and attribute transmission capability. It allows third party attested claims from distributed sources. The specification suite consists of Core, Protocol Bindings, Dynamic Registration, Discovery, and Extensions. This specification is the "Discovery" part of the suite that defines how user and server endpoints are discovered.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.) [RFC2119].
1.
Introduction
2.
Terminology
3.
Provider Discovery
3.1.
Identifier Normalization
3.2.
Non-Normative Examples
3.3.
Redirection
4.
Provider Configuration Information
4.1.
Provider Configuration Request
4.2.
Provider Configuration Response
5.
Other Items for Consideration
6.
IANA Considerations
7.
Security Considerations
8.
References
8.1.
Normative References
8.2.
Informative References
Appendix A.
Acknowledgements
Appendix B.
Document History
§
Authors' Addresses
| TOC |
In order for an OpenID client to utilize OpenID services for a user, the client needs to know where the OpenID Provider is. OpenID Connect uses Simple Web Discovery (Jones, M., Ed. and Y. Goland, “Simple Web Discovery,” October 2010.) [SWD] to locate the OpenID Connect provider for an end-user. This document describes the OpenID Connect specific parts related to Simple Web Discovery (Jones, M., Ed. and Y. Goland, “Simple Web Discovery,” October 2010.) [SWD].
Once an OpenID Provider is identified, the endpoint and other configuration information for that provider is retrieved from a well-known location as a JSON document.
| TOC |
- Client
- An application obtaining authorization and making protected resource requests.
- End-user
- A human resource owner.
- Principal
- A human resource owner that is the target of a request in Simple Web Discovery.
- OpenID Provider (OP)
- Authorization Servers that are able to support OpenID Connect Messages.
- Issuer ID
- The unique identifier of the OpenID Provider.
- Relying Party (RP)
- Client and Resource Servers.
- End-User Authorization Endpoint
- The Authorization Server's endpoint capable of authenticating the End-User and obtaining authorization.
- Client Identifier
- A unique identifier that the client uses to identify itself to the OP.
- Token Endpoint
- The Authorization Server's HTTP endpoint capable of issuing tokens.
- Authentication Endpoints
- End-User Authentication and Authorization endpoint.
- RP Endpoints
- The endpoint to which the OP responses are returned through redirect.
- UserInfo Endpoint
- A protected resource that when presented with a token by the client returns authorized information about the current user.
- Introspection Endpoint
- The Authorization Servers endpoint that takes an ID_Token or access token as input and returns an unpacked JSON representation of an ID_Token.
- Identifier
- An Identifier is either an "http" or "https" URI, (commonly referred to as a "URL" within this document), or an account URI. This document defines various kinds of Identifiers, designed for use in different contexts.
| TOC |
Provider discovery is optional, If a RP knows through an out of band mechanism that all identifiers containing particular have the same issuer then they can ship this step and proceed to Section 4 (Provider Configuration Information).
Provider discovery Simple Web Discovery requires the following information to make a discovery request:
OpenID Connect has the following discoverable service in Simple Web Discovery:
| Service Type | URI |
|---|---|
| OpenID Issuer | http://openid.net/specs/cc/1.0/issuer |
To start discovery of OpenID end points, the end-user supplies an identifier to the client or relying party. The client performs normalization rules to the identifier to extract the principal and host. Then it makes a HTTPS request the host's Simple Web Discovery endpoint with the principal and service parameters to obtain the location of the requested service.
What MUST be returned in the response is the Java origin of the Issuer. This includes URI scheme HOST and port.
| TOC |
The user identifier can be one of the following:
Identifiers starting with the XRI (Reed, D. and D. McAlpin, “Extensible Resource Identifier (XRI) Syntax V2.0,” November 2005.) [XRI_Syntax_2.0] characters ('=','@', and '!') are reserved. Any identifier that contains the character '@' in any other position other than the first position must be treated as an e-mail address.
| TOC |
If the identifier is the hostname, then the hostname is used as both the principal and host in Simple Web Discovery request. This results in a directed identity request.
| TOC |
If the identifier is an e-mail address, the principal is the e-mail address and the host is the portion to the right of the '@' character.
| TOC |
A URL identifier is normalized according to the following rules:
| TOC |
| TOC |
To find the authorization endpoint for the given hostname, "example.com", the SWD parameters are as follows:
| SWD Parameter | Value |
|---|---|
| principal | example.com |
| host | example.com |
| service | http://openid.net/specs/cc/1.0/issuer |
Following the SWD specification, the client would make the following request to get the discovery information:
GET /.well-known/simple-web-discovery?principal=example.com&service=http://openid.net/specs/cc/1.0/issuer HTTP/1.1
Host: example.com
HTTP/1.1 200 O.K.
Content-Type: application/json
{
"locations":["https://example.com/auth"]
}
| TOC |
To find the authorization endpoint for the given e-mail address, "joe@example.com", the SWD parameters are as follows:
| SWD Parameter | Value |
|---|---|
| principal | joe@example.com |
| host | example.com |
| service | http://openid.net/specs/cc/1.0/issuer |
Following the SWD specification, the client would make the following request to get the discovery information:
GET /.well-known/simple-web-discovery?principal=joe@example.com&service=http://openid.net/specs/cc/1.0/issuer HTTP/1.1
Host: example.com
HTTP/1.1 200 O.K.
Content-Type: application/json
{
"locations":["https://example.com/auth"]
}
| TOC |
To find the authorization endpoint for the given URL, 'https://example.com/joe", the SWD parameters are as follows:
| SWD Parameter | Value |
|---|---|
| principal | https://example.com/joe |
| host | example.com |
| service | http://openid.net/specs/cc/1.0/issuer |
Following the SWD specification, the client would make the following request to get the discovery information:
GET /.well-known/simple-web-discovery?principal=https://example.com/joe&service=http://openid.net/specs/cc/1.0/issuer HTTP/1.1
Host: example.com
HTTP/1.1 200 O.K.
Content-Type: application/json
{
"locations":["https://example.com/auth"]
}
| TOC |
In cases where the SWD request is handled at a host or location other than the one derived from the end-user's identifier, the host will return a JSON object containing the new location.
GET /.well-known/simple-web-discovery?principal=joe@example.com&service=http://openid.net/specs/cc/1.0/issuer HTTP/1.1
Host: example.com
HTTP/1.1 200 O.K.
Content-Type: application/json
{
"SWD_service_redirect":
{
"location":"https://example.net/swd_server"
}
}
GET /swd_server?principal=joe@example.com&service=http://openid.net/specs/cc/1.0/issuer HTTP/1.1
Host: example.net
HTTP/1.1 200 O.K.
Content-Type: application/json
{
"locations":["https://example.net/auth"]
}
| TOC |
This step is optional. The provider endpoints and configuration information may be provided out of band.
Using the Issuer ID discovered in Section 3 (Provider Discovery) or through direct configuration the OpenID Provider's configuration can be retrieved.
OpenID providers MUST make available a JSON document at the path .well-known/openid-configuration. The syntax and semantics of ".well-known" are defined in RFC 5785 (Nottingham, M. and E. Hammer-Lahav, “Defining Well-Known Uniform Resource Identifiers (URIs),” April 2010.) [RFC5785]. "openid-configuration" MUST point to a JSON document compliant with this specification.
OpenID providers MUST support receiving SWD requests via TLS 1.2 as defined in RFC 5246 (Dierks, T. and E. Rescorla, “The Transport Layer Security (TLS) Protocol Version 1.2,” August 2008.) [RFC5246] and MAY support other transport layer security mechanisms of equivalent security.
| TOC |
A Provider Configuration Document is queried using a HTTPS GET request with the previously specified path.
The client would make the following request to get the Configuration information
GET /.well-known/openid-configuration HTTP/1.1 Host: example.com
| TOC |
The response is a set of claims about the OpenID Provider's configuration, including all necessary endpoint, supported scope, and public key location information.
The response MUST return a plain text JSON object that contains a set of claims that are a subset of those defined below. Other claims MAY also be returned.
| Claim | Type | Description |
|---|---|---|
| authorization_endpoint | string | URI of the provider's Authentication and Authorization Endpoint. |
| token_endpoint | string | URI of the provider's Token |
| introspection_endpoint | string | URI of the provider's ID_Token Introspection Endpoint |
| user_info_endpoint | string | URI of the provider's User Information Endpoint |
| session_management_endpoint | string | URI of the provider's Session Management Endpoint |
| jwk_endpoint | string | URI of the provider's JSON Web Key [JWK] (Jones, M., “JSON Web Key (JWK),” April 2011.) Document |
| registration_endpoint | string | URI of the provider's Dynamic Client Registration [OpenID.CR] (Sakimura, N., Bradley, J., Ed., and M. Jones, “OpenID Connect Dynamic Client Registration 1.0 - draft 02,” July 2011.) endpoint |
| scopes_supported | string | A comma separated list of the OAuth 2.0 (Hammer-Lahav, E., Ed., Recordon, D., and D. Hardt, “OAuth 2.0 Authorization Protocol,” May 2011.) [OAuth2.0].0 scopes that this server supports. The server MUST support the openid scope. |
| flows_supported | string | A comma separated list of the OAuth 2.0 flows that this server supports. The server MUST support the code flow. |
| eaa_supported | string | A comma separated list of the eaa that this server supports |
| identifiers_supported | string | A comma separated list of the user identifier types that this server supports |
| Table 1: Reserved Claim Definitions |
Example response
{
"authorization_endpoint": "https://example.com/authorize",
"token_endpoint": "https://example.com/token"
"introspection_endpoint": "https://example.com/introspection",
"user_info_endpoint": "https://example.com/user",
"session_management_endpoint": "https://example.com/sm",
"jwk_endpoint": "https://example.com/jwk.json",
"registration_endpoint": "https://example.com/register",
"scopes_supported": "openid",
"flows_supported": "code,token",
"eaa_supported": "http://www.idmanagement.gov/schema/2009/05/icam/openid-trust-level1.pdf",
"identifiers_supported": "omni,ppid"
}
| TOC |
| TOC |
This document makes no request of IANA.
| TOC |
| TOC |
| TOC |
| [JWK] | Jones, M., “JSON Web Key (JWK),” April 2011. |
| [OpenID.CC] | Recordon, D., Sakimura, N., Bradley, J., de Medeiros, B., Jones, M., and E. Jay, “OpenID Connect Core 1.0,” June 2011. |
| [OpenID.CR] | Sakimura, N., Bradley, J., Ed., and M. Jones, “OpenID Connect Dynamic Client Registration 1.0 - draft 02,” July 2011. |
| [RFC2119] | Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” BCP 14, RFC 2119, March 1997 (TXT, HTML, XML). |
| [RFC3986] | Berners-Lee, T., Fielding, R., and L. Masinter, “Uniform Resource Identifier (URI): Generic Syntax,” STD 66, RFC 3986, January 2005 (TXT, HTML, XML). |
| [RFC5246] | Dierks, T. and E. Rescorla, “The Transport Layer Security (TLS) Protocol Version 1.2,” RFC 5246, August 2008 (TXT). |
| [RFC5785] | Nottingham, M. and E. Hammer-Lahav, “Defining Well-Known Uniform Resource Identifiers (URIs),” RFC 5785, April 2010 (TXT). |
| [SWD] | Jones, M., Ed. and Y. Goland, “Simple Web Discovery,” October 2010. |
| TOC |
| [OAuth2.0] | Hammer-Lahav, E., Ed., Recordon, D., and D. Hardt, “OAuth 2.0 Authorization Protocol,” May 2011. |
| [OpenID.2.0] | specs@openid.net, “OpenID Authentication 2.0,” 2007 (TXT, HTML). |
| [XRI_Syntax_2.0] | Reed, D. and D. McAlpin, “Extensible Resource Identifier (XRI) Syntax V2.0,” November 2005 (HTML, PDF). |
| TOC |
| TOC |
[[ to be removed once the specification is approved ]]
-00
| TOC |
| Nat Sakimura | |
| Nomura Research Institute, Ltd. | |
| Email: | n-sakimura@nri.co.jp |
| John Bradley (editor) | |
| Protiviti Government Services | |
| Email: | jbradley@mac.com |
| Michael B. Jones | |
| Microsoft Corporation | |
| Email: | mbj@microsoft.com |
| Edmund Jay | |
| MGI1 | |
| Email: | ejay@mgi1.com |