OpenID Connect Messages 1.0 - draft 16Nomura Research Institute, Ltd.n-sakimura@nri.co.jpPing Identityve7jtb@ve7jtb.comMicrosoftmbj@microsoft.comGoogle Inc.breno@google.comSalesforcecmortimore@salesforce.comIllumilaejay@mgi1.comOpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0
protocol. It allows Clients to verify the identity of the End-User based
on the authentication performed by an Authorization Server, as well as to
obtain basic profile information about the End-User in an interoperable and
REST-like manner.This specification only defines the endpoints and
the associated message formats.
The actual use MUST be based on one of
the companion protocol bindings specifications
such as OpenID Connect Standard 1.0.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119.Throughout this document, values are quoted to indicate that they are
to be taken literally. When using these values in protocol messages, the
quotes MUST NOT be used as part of the value.This specification uses the terms "Access Token", "Refresh Token",
"Authorization Code", "Authorization Grant", "Authorization Server",
"Authorization Endpoint", "Client", "Client Identifier", "Client
Secret", "Protected Resource", "Resource Owner", "Resource Server", and
"Token Endpoint" defined by
OAuth 2.0,
and the terms "Claim Names" and "Claim Values" defined by
JSON Web Token (JWT).
This specification also defines the following terms:
Act of verifying End-User's possession
of previously provisioned credentials.
Information that the Relying Party may require before it makes an
entitlement decision with respect to an authentication response.
Such context may include, but is not limited to, the actual
authentication method used or level of assurance such as
ISO/IEC 29115
entity authentication assurance level.
A set of authentication methods or procedures that are considered
to be equivalent to each other in a particular context.
Identifier for an Authentication Context Class.
Piece of information about an Entity that a
Claims Provider asserts about that Entity.
Syntax used for representing a Claim value.
This specification defines Normal, Aggregated, and Distributed Claim Types.
Server that can
return Claims about an Entity.Human Resource Owner.Something that has a separate and
distinct existence and that can be identified in context.
An End-User is one example of an Entity.
Claim specified by the Client as being necessary to ensure a smooth
authorization experience for the specific task requested by the End-User.
Token that contains Claims about the authentication event.
It may contain other Claims. Entity that issues a set of Claims.Verifiable identifier for
an Issuer. An Issuer Identifier is a URL using the https scheme that
contains scheme, host, and OPTIONALLY, port number and path
components. (No query or fragment components may be present.)Request or a response between an OpenID
Relying Party and an OpenID Provider.
OAuth 2.0 Authorization Server that is capable of
returning Claims to a Relying Party
about the authentication event and the End-User
in an ID Token and/or a UserInfo Endpoint response.
Authorization Endpoint, Token Endpoint,
and UserInfo Endpoint.
JWT that contains a set of request parameters as its Claims.
Any information that (a) can be used to identify the natural person
to whom such information relates, or
(b) is or might be directly or indirectly linked to a
natural person to whom such information relates.
Identifier that identifies the Entity to a Relying Party.
An Entity's PPID at one Relying Party cannot be correlated
with the Entity's PPID at another Relying Party.
Application requiring Claims from an OpenID Provider.
It is an extended OAuth 2.0 Client.
Personal OpenID Provider that issues self-signed ID Tokens.
Protected Resource that, when
presented with an Access Token by the Client, returns Claims
about the End-User represented by that Access Token.
Claim specified by the Client as being useful but not Essential
for the specific task requested by the End-User.
The OpenID Connect protocol, in abstract, follows the following
steps.The RP (Client) sends a request to the OP's (Authorization Server's)
End-User Authorization Endpoint.The OP authenticates the End-User and obtains
appropriate authorization.The OP responds with an Access Token, an Id Token,
and a few other variables.The RP sends a request with the Access Token to the UserInfo Endpoint.The UserInfo Endpoint returns the additional End-User information
supported by the Resource Server.
This specification
only defines the abstract message flow and message formats. The actual
use MUST be based on one of the companion protocol bindings
specifications such as
OpenID Connect Standard 1.0,
OpenID Connect Basic Client Profile 1.0, or
OpenID Connect Implicit Client Profile 1.0.
In OpenID Connect, the RP interacts with these endpoints at the OP:Authorization Endpoint: The RP sends a request to the
OP at the Authorization Endpoint. The OP
then authenticates the End-User to determine whether he is eligible
to be authenticated. Then, after potential authorization actions by the
End-User, the Authorization Server returns an Authorization Response,
which can include an Authorization Code value.
For some Clients, the Implicit Grant will be used to obtain an Access Token
without using an Authorization Code. In this case,
the response_type parameter value MUST include token and id_token.Token Endpoint: The Client sends an Access Token Request
containing the Authorization Code to the
Token Endpoint to obtain an Access Token Response that includes an
Access Token and an ID Token.UserInfo Endpoint: The Client sends the Access Token to the UserInfo Endpoint
to obtain Claims about the End-User.The RP sends an Authorization Request to the Authorization Endpoint
of the OP to obtain an Authorization Response,
which may contain an ID Token and Access Token,
depending on the response_type value used.
An Authorization Request is a message sent from an RP
to the OP's Authorization Endpoint.
It is an extended OAuth 2.0
Authorization Request.
Section 4.1.1 and 4.2.1 of OAuth 2.0
define the OAuth 2.0 Authorization Request parameters.
OpenID Connect uses the following OAuth 2.0 request parameters:
REQUIRED.
Value that controls the parameters returned in the response from the
Authorization Endpoint.
The OAuth 2.0 specification defines two response types:
When supplied as the value for the
response_type parameter, a
successful response MUST include an Authorization Code as
defined in the OAuth 2.0 specification. Both successful
and error responses MUST be added as parameters to the
query component of the response. All tokens are returned
from the Token Endpoint.
When used by OpenID Connect, an ID Token is also returned
from the Token Endpoint.
OpenID Providers that are not Self-Issued OPs MUST support
this response_type.When supplied as the value for the
response_type parameter, a
successful response MUST include an Access Token as
defined in the OAuth 2.0 specification. Both successful
and error responses MUST be fragment-encoded.
No ID Token is provided to the Client;
therefore, this response_type
is not used by OpenID Connect.OpenID Connect supports these additional response types,
which have been registered with IANA:When supplied as the value
for the response_type
parameter, a successful response MUST include an ID Token.
Both successful and error responses SHOULD be fragment-encoded.
OpenID Providers MUST support this response_type.When supplied as the value
for the response_type
parameter, a successful response MUST include both an
Access Token and an ID Token.
Both successful and error responses SHOULD be fragment-encoded.
OpenID Providers MUST support this response_type.When supplied as the value for
the response_type parameter, a
successful response MUST include both an Access Token and
an Authorization Code as defined in the OAuth 2.0
specification.
When used by OpenID Connect, an ID Token is also returned
from the Token Endpoint.
Both successful and error responses SHOULD be fragment-encoded.When supplied as the value for
the response_type parameter, a
successful response MUST include both an Authorization Code
and an ID Token.
Both successful and error responses SHOULD be fragment-encoded.When supplied as the
value for the response_type
parameter, a successful response MUST include an
Authorization Code, an ID Token, and an Access Token.
Both successful and error responses SHOULD be fragment-encoded.
All OpenID Providers MUST support the
id_token and
token id_token response types and
all OpenID Providers that are not Self-Issued OPs MUST also support the
code response type.
The Client may use any OAuth 2.0 registered
response type supported by the OpenID Provider other than
token (which provides no ID Token).
REQUIRED.
OAuth 2.0 Client Identifier.
REQUIRED.
Space delimited, case sensitive list of ASCII OAuth 2.0 scope values.
OpenID Connect requests MUST contain the openid scope value.
OPTIONAL scope values of
profile,
email,
address,
phone,
and offline_access
are also defined.
See for more about the scope values defined by this specification.
REQUIRED.
Redirection URI to which the response will be sent.
This MUST be pre-registered with the OpenID Provider.
If the Client uses the OAuth implicit grant type, the redirection URI
MUST NOT use the http scheme
unless the Client is a native application, in which case it MAY
use the http: scheme with
localhost as the hostname.
If the Client only uses
the OAuth authorization_code grant type,
the redirection URI
MAY use the http scheme,
provided that the Client Type is
confidential,
as defined in Section 2.1 of OAuth 2.0.
RECOMMENDED.
Opaque value used
to maintain state between the request and the callback;
it can serve as a protection against XSRF attacks, among
other uses.
This specification also defines the following request parameters:
REQUIRED or OPTIONAL.
Random, unique string value used
to mitigate replay attacks.
Use of the nonce is REQUIRED for all requests where an ID Token
is returned directly from the Authorization Endpoint.
It is OPTIONAL when the ID Token is returned from the
Token Endpoint.
OPTIONAL.
ASCII string value that specifies
how the Authorization Server displays the authentication and
consent user interface pages to the End-User.
The defined values are:
The Authorization Server SHOULD display
authentication and consent UI consistent with a full User-Agent page
view. If the display parameter is not specified this is the
default display mode.The Authorization Server SHOULD display
authentication and consent UI consistent with a popup User-Agent
window. The popup User-Agent window SHOULD be 450 pixels wide
and 500 pixels tall.The Authorization Server SHOULD display
authentication and consent UI consistent with a device that
leverages a touch interface. The Authorization Server MAY attempt
to detect the touch device and further customize the interface.The Authorization Server SHOULD display
authentication and consent UI consistent with a "feature phone"
type display.
OPTIONAL.
Space delimited, case sensitive list of ASCII string values
that specifies whether the Authorization Server prompts
the End-User for reauthentication and consent.
The defined values are:
The Authorization Server
MUST NOT display any authentication or consent
user interface pages. An error is returned if the End-User
is not already authenticated or the Client does not have
pre-configured consent for the requested
Claims. This can be used as a
method to check for existing authentication and/or consent.The Authorization Server MUST prompt the
End-User for reauthentication.The Authorization Server MUST prompt
the End-User for consent before returning information to the
Client.The Authorization Server MUST
prompt the End-User to select a user account. This allows
a user who has multiple accounts at the Authorization Server
to select amongst the multiple accounts that they may have
current sessions for.
The prompt parameter
can be used by the Client to make sure that the End-User is
still present for the current session or to bring attention to the
request. If this parameter contains none
with any other value, an
error is returned.
OPTIONAL.
Maximum Authentication Age.
Specifies that the End-User must be actively authenticated if the
End-User was authenticated longer ago than the specified number of seconds.
(The max_age request parameter corresponds to
the OpenID 2.0 PAPEmax_auth_age request parameter.)
When max_age is used, the ID Token returned
MUST include an auth_time Claim value.
OPTIONAL.
End-User's preferred languages and scripts for the user interface,
represented as a space-separated list of
BCP47 language tag values,
ordered by preference.
For instance, the value "fr-CA fr-FR en-CA" represents a preference
for French as spoken in Canada, then French as spoken in France,
followed by English as spoken in Canada.
An error SHOULD NOT result if some or all of the requested locales
are not supported by the OpenID Provider.
OPTIONAL.
End-User's preferred languages and scripts for Claims being returned,
represented as a space-separated list of
BCP47 language tag values,
ordered by preference.
An error SHOULD NOT result if some or all of the requested locales
are not supported by the OpenID Provider.
OPTIONAL.
Previously issued ID Token
passed to the Authorization Server as a hint about the End-User's current or past
authenticated session with the Client.
This SHOULD be present when prompt=none is used.
If the End-User identified by the ID Token is logged in or is logged in by the request,
then the Authorization Server returns a positive response;
otherwise, it SHOULD return a negative response.
If the ID Token received by the RP is encrypted, the Client MUST
decrypt the signed ID Token contained within the encrypted ID Token.
The Client MAY re-encrypt the signed ID token to the Authentication Server
using a key that enables the server to decrypt the ID Token.
For a Self-Issued ID Token, the sub (subject) of the
signed ID Token MUST be sent as the kid (Key ID) of the JWE.
OPTIONAL.
Hint to the Authorization Server
about the login identifier the End-User may use to log in (if necessary).
This hint can be used by an RP if it first asks the End-User for their e-mail
address (or other identifier) and then wants to pass that value as a hint
to the discovered authorization service.
It is RECOMMENDED that the hint value match the value used for discovery.
The use of this parameter is left to the OP's discretion.
OPTIONAL.
Requested Authentication Context Class Reference values.
Space-separated string that specifies the acr
values that the Authorization Server MUST use
for processing requests from this Client.
The Authentication Context Class satisfied by the authentication
performed is returned as the acr Claim value,
as specified in .
OPTIONAL.
This parameter is used to request that specific Claims be returned.
The value is a JSON object, as specified in .
OPTIONAL.
This parameter is used by the Client to provide information about itself
to a Self-Issued OP that would normally be provided to an OP during
Dynamic Client Registration,
as specified in .
The registration parameter SHOULD NOT be used
when the OP is not a Self-Issued OP.
OPTIONAL.
This parameter enables
OpenID Connect requests to be passed in a single,
self-contained parameter and to be signed and optionally encrypted.
The parameter value is a Request Object.
It represents the request as JWT whose Claims are the request parameters
above, as specified in .
When the request parameter is used,
the OpenID Connect request parameter values contained in the JWT
supersede those passed using the OAuth 2.0 request syntax.
Even if a scope parameter
is present in the Request Object,
a scope parameter MUST always be passed using
the OAuth 2.0 request syntax containing the
openid scope value to indicate to the
underlying OAuth 2.0 logic that this is an OpenID Connect request.
OPTIONAL.
This parameter enables
OpenID Connect requests to be passed by reference, rather than by value.
The request_uri value is a URL
using the https scheme
referencing a resource containing a Request Object value,
which is a JWT containing the request parameters.
This parameter is used identically to the
request parameter, other than that
the Request Object is retrieved from the specified URL,
rather than passed by value.
See for more information on using the
request_uri parameter.
An Authorization Response is a message returned from the
OP's Authorization Endpoint in response to the Authorization Request
by the RP.This specification only
describes OAuth 2.0 Bearer Token Usage. The
OAuth 2.0 response parameter token_type
MUST be set to Bearer unless another Token Type
has been negotiated with the Client.When the response_type in the request
is code, the Authorization Response
MUST return the parameters defined in Section 4.1.2 of
OAuth 2.0.When the response_type
includes other values, they must be returned as defined by
their registration. The id_token
and token id_token response types are defined in
OAuth 2.0 Multiple Response Type Encoding Practices.The ID Token is a security token that contains Claims about the
authentication event and other requested Claims.
The ID Token is represented as a JSON Web Token (JWT).The ID Token is used to manage the authentication event and user
identifier and is scoped to a particular Client via the aud (audience) and nonce
Claims. The following Claims are used within the ID Token:REQUIRED.
Issuer Identifier for the Issuer
of the response.REQUIRED.
Subject identifier. A locally unique and never
reassigned identifier within the Issuer for the End-User,
which is intended to be
consumed by the Client. e.g. 24400320
or AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4.
It MUST NOT exceed 255 ASCII characters in length.REQUIRED.
Audience
that this ID Token is intended for. It MUST contain the
OAuth 2.0 client_id of the Client.
OPTIONAL.
Authorized Presenter.
This member identifies an OAuth 2.0 Client authorized to use this
ID Token as an OAuth Access Token.
It MUST contain the client_id
of the Authorized Presenter.
This Claim is only needed when the party requesting the ID Token
is not the same as the audience of the ID Token.
It MAY be included even when the Authorized Presenter is the same
as the audience.
REQUIRED.
Expiration time on or after which the ID Token MUST NOT be
accepted for processing. The processing of this parameter
requires that the current date/time MUST be before the
expiration date/time listed in the value. Implementers MAY
provide for some small leeway, usually no more than a few
minutes, to account for clock skew. The value is the number of
seconds from 1970-01-01T0:0:0Z as measured in UTC until the
desired date/time. See RFC 3339
for details regarding date/times in general and UTC in
particular.REQUIRED.
Time at which the JWT was issued.
The value is the number of
seconds from 1970-01-01T0:0:0Z as measured in UTC until the
desired date/time. See RFC 3339
for details regarding date/times in general and UTC in
particular.
OPTIONAL or REQUIRED.
Time when the End-User authentication occurred, specified as
the number of seconds since 1970-01-01T0:0:0Z as measured in UTC.
When a max_age request is made
or when auth_time is requested
as an Essential Claim,
then this Claim is REQUIRED.
(The auth_time Claim semantically
corresponds to the OpenID 2.0 PAPEauth_time response parameter.)
OPTIONAL or REQUIRED.
String value used to associate a Client session
with an ID Token, and to mitigate replay attacks.
The value is passed through unmodified from the Authorization Request to the ID Token.
If present in the ID Token,
Clients MUST verify that
the nonce Claim value is equal to
the value of the nonce
parameter sent in the Authorization Request.
If present in the Authorization Request, Authorization Servers
MUST include a nonce Claim in the
ID Token with the Claim value
being the nonce value sent in the Authorization Request.
Use of the nonce is REQUIRED for all requests where an ID Token
is returned directly from the Authorization Endpoint.
It is OPTIONAL when the ID Token is returned from the
Token Endpoint.
OPTIONAL or REQUIRED.
Access Token hash value.
If the ID Token is issued from the Authorization Endpoint with an
access_token, this is REQUIRED.
This is OPTIONAL when the ID Token is issued from the Token Endpoint.
The value is produced by base64url encoding the left-most half of the hash
created by hashing the access_token
with the hash algorithm specified in JWS for the
alg
parameter in the JWS header.
For instance, if the alg is
RS256, hash access_token
with SHA-256, then take the left-most 128 bits and base64url encode them.
OPTIONAL or REQUIRED.
Code hash value.
If the ID Token is issued from the Authorization Endpoint with a
code, this is REQUIRED.
This is OPTIONAL when the ID Token is issued from the Token Endpoint.
The value is produced by base64url encoding the left-most half of the hash
created by hashing the code
with the hash algorithm specified in JWS for the
alg
parameter in the JWS header.
For instance, if the alg is
HS512, hash code
with SHA-512, then take the left-most 256 bits and base64url encode them.
OPTIONAL.
Authentication Context Class Reference.
String specifying an Authentication Context Class Reference value
that identifies the Authentication Context Class that the
authentication performed satisfied.
The value "0" indicates the End-User authentication
did not meet the requirements of
ISO/IEC 29115 level 1.
Authentication using a long-lived browser cookie, for instance, is one
example where the use of "level 0" is appropriate. Authentications with
level 0 should never be used to authorize access to any resource of any
monetary value.
(This corresponds to the OpenID 2.0
PAPEnist_auth_level 0.)
An absolute URI or a registered
name MAY be used as an acr value.
OPTIONAL.
Authentication Methods References.
JSON array of strings that are identifiers for authentication methods
used in the authentication.
For instance, values might indicate that both password and OTP
authentication methods were used.
The definition of particular values to be used in the
amr Claim
is beyond the scope of this specification.
NOT RECOMMENDED or REQUIRED.
Public key value used to check the signature of an ID Token
issued by a Self-Issued OpenID Provider,
as specified in .
The key is a bare key in JWK format
(not an X.509 certificate value).
Use of the sub_jwk Claim
is REQUIRED when the OP is a Self-Issued OP and
is NOT RECOMMENDED when the OP is not Self-Issued.
The JWT MAY contain other Claims
that are understood by all parties using it.ID Tokens MUST be signed using JWS and OPTIONALLY both signed and
encrypted using JWS and JWE respectively, thereby providing
authentication, integrity,
non-repudiation, and optionally, confidentiality.
Clients MUST directly validate the ID Token per
ID Token Validation.
The following is a non-normative example of a base64url decoded
ID Token
(with line wraps for display purposes only):If the End-User denies the access request or if the request
fails, the OP (Authorization Server) informs the RP (Client)
by using the Error Response parameters defined in
Sections 4.1.2.1 or 4.2.2.1 of OAuth 2.0,
according to the response_type used.In addition to the error codes defined in Sections 4.1.2.1 and 4.2.2.1 of
OAuth 2.0, this specification also defines the following error codes:The Authorization Server
requires End-User interaction of some form to proceed.
This error MAY be returned when the
prompt parameter in the
Authorization Request is set to none
to request that the
Authorization Server should not display any user interfaces to
the End-User, but the Authorization Request cannot be completed
without displaying a user interface for End-User interaction.The Authorization Server requires
End-User authentication. This error MAY be returned when the
prompt parameter in the
Authorization Request is set to
none to request that the
Authorization Server should not display any user interfaces to
the End-User, but the Authorization Request cannot be completed
without displaying a user interface for user authentication.
The End-User is required
to select a session at the Authorization Server. The End-User MAY
be authenticated at the Authorization Server with different
associated accounts, but the End-User did not select a session.
This error MAY be returned
when the prompt parameter in the
Authorization Request is set to none
to request that the
Authorization Server should not display any user interfaces to
the End-User, but the Authorization Request cannot be completed
without displaying a user interface to prompt for a session to
use.The Authorization Server
requires End-User consent. This error MAY be returned when the
prompt parameter in the
Authorization Request is set to none
to request that the
Authorization Server should not display any user interfaces to
the End-User, but the Authorization Request cannot be completed
without displaying a user interface for End-User consent.The
request_uri in
the Authorization Request returns an error or contains invalid data.The
request parameter contains an invalid
Request Object.
The OP does not support use of the
registration parameter.
The OP does not support use of the
request parameter.
The RP (Client) sends an Access Token Request to the Token Endpoint
to obtain an Access Token Response,
which MAY include an Access Token, a Refresh Token,
an ID Token, and other results.During Client Registration, the RP (Client) MAY register an authentication method.
If no method is registered, the default method of client_secret_basic MUST be used.The Supported options are:
Clients that have received a client_secret value
from the Authorization Server, authenticate with the Authorization Server
in accordance with Section 3.2.1 of OAuth 2.0 using HTTP Basic authentication scheme.
Clients that have received a client_secret value
from the Authorization Server, authenticate with the Authorization Server
in accordance with Section 3.2.1 of OAuth 2.0 by including the Client Credentials in the request body.
Clients that have received a client_secret value
from the Authorization Server create a JWT using an
HMAC SHA algorithm, such as HMAC SHA-256.
The HMAC (Hash-based Message Authentication Code) is calculated using
the bytes of the UTF-8 representation of
the client_secret as the shared key.
The Client authenticates in accordance with Section 2.2 of OAuth JWT Bearer Token Profiles and
OAuth 2.0 Assertion Profile.
The JWT MUST contain the following REQUIRED Claim values and
MAY contain the following OPTIONAL Claim values:REQUIRED.
Issuer.
This MUST contain the client_id of the OAuth Client.REQUIRED.
Subject.
This MUST contain the client_id of the OAuth Client.
REQUIRED.
Audience.
The aud (audience) Claim.
Value that identifies the Authorization Server as an intended audience.
The Authorization Server MUST verify that it is an intended audience
for the token.
The Audience SHOULD be the URL of the
Authorization Server's Token Endpoint.
REQUIRED.
JWT ID.
A unique identifier for the token. The
JWT ID MAY be used by implementations requiring message
de-duplication for one-time use assertions. REQUIRED.
Expiration time on or after which the ID Token MUST NOT be
accepted for processing.OPTIONAL.
Time at which the JWT was issued.
The value is the number of seconds from 1970-01-01T0:0:0Z
as measured in UTC until the desired date/time.The JWT MAY contain other Claims
that are understood by all parties using it.The authentication token MUST be sent as the value of the
client_assertion parameter.The value of the
client_assertion_type parameter
MUST be "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
per .
Clients that have registered a public key sign a JWT using
the RSA algorithm if a RSA key was registered
or the ECDSA algorithm if an Elliptic Curve key was registered
(see JWA for the algorithm identifiers).
The Client authenticates in accordance with Section 2.2 of OAuth JWT Bearer Token Profiles and
OAuth 2.0 Assertion Profile.
The JWT MUST contain the following REQUIRED Claim values and
MAY contain the following OPTIONAL Claim values:REQUIRED.
Issuer.
This MUST contain the client_id of the OAuth Client.REQUIRED.
Subject.
This MUST contain the client_id of the OAuth Client.
REQUIRED.
Audience.
The aud (audience) Claim.
Value that identifies the Authorization Server as an intended audience.
The Authorization Server MUST verify that it is an intended audience
for the token.
The Audience SHOULD be the URL of the
Authorization Server's Token Endpoint.
REQUIRED.
JWT ID.
A unique identifier for the token. The
JWT ID MAY be used by implementations requiring message
de-duplication for one-time use assertions. REQUIRED.
Expiration time on or after which the ID Token MUST NOT be
accepted for processing.OPTIONAL.
Time at which the JWT was issued.
The value is the number of seconds from 1970-01-01T0:0:0Z
as measured in UTC until the desired date/time.The JWT MAY contain other Claims
that are understood by all parties using it.The authentication token MUST be sent as the value of the
client_assertion parameter.The value of the
client_assertion_type parameter
MUST be "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
per .
For example
(with line wraps for display purposes only):
The Client obtains an Access Token by authenticating with the
Authorization Server and presenting its Authorization Grant (in the form of
an Authorization Code or Refresh Token).In addition to the Client authentication parameters,
if this is a Refresh Token Request, the Client MUST send the additional parameters
specified in Section 6 of OAuth 2.0.
Otherwise the Client
MUST send the request parameters as
specified in Section 4.1.3 of OAuth 2.0.After receiving and validating a valid and authorized Access Token Request
from the Client, the Authorization Server returns a successful
response that includes an Access Token and an ID Token. The
parameters in the successful response are defined in Section 4.1.4
of OAuth 2.0.This specification only
describes OAuth 2.0 Bearer Token Usage. The
OAuth 2.0 response parameter token_type
MUST be set to Bearer unless another Token Type
has been negotiated with the Client. Servers SHOULD support
OAuth 2.0 Bearer Token Usage for interoperability.
For security reasons Servers may only allow Clients to register specific
token_type. Clients MUST support
OAuth 2.0 Bearer Token Usage and MAY support other
token_type. In addition to the OAuth 2.0 response parameters, the following
parameters MUST be included in the response if the
grant_type value is
authorization_code
and the Authorization Request scope parameter
contained openid:ID Token value associated with the
authenticated session.
An id_token MUST be
returned when the grant_type value is
authorization_code
and MAY be returned when other grant types are used.
If an ID Token is returned as a result of a token refresh request,
the following requirements apply:
its iat Claim MUST represent
the time that the new ID Token is issued;
if the ID Token contains an auth_time Claim,
its value MUST represent the time of the original authentication - not
the time that the new ID token is issued;
if the ID Token contains an azp Claim,
its value MUST be the same as the azp Claim
in the ID Token issued when the original authentication occurred;
otherwise, the same rules apply as apply when issuing an ID Token
at the time of the original authentication.
Following is a non-normative example:As in the OAuth 2.0, Clients
SHOULD ignore unrecognized response parameters.If the Token Request is invalid or unauthorized, the
Authorization Server constructs the error response. The parameters
of the Token Error Response are defined as in Section 5.2 of OAuth 2.0.The UserInfo Endpoint is an OAuth 2.0 Protected Resource that
returns Claims about the authenticated End-User. Claims are
represented by a JSON object that contains a collection of
name and value pairs for the Claims.
Clients send requests to the
UserInfo Endpoint to obtain Claims about the End-User.
The UserInfo Endpoint is an OAuth 2.0
Protected Resource that complies with the OAuth 2.0 Bearer Token Usage specification.
The Access Token SHOULD be sent using the
Authorization header field.
The following parameters are defined for use in UserInfo Requests:
REQUIRED.
Access Token obtained
from an OpenID Connect Authorization Request. REQUIRED.
Schema in which the
data is to be returned. The only defined schema
value is openid.This identifier is reserved. It MUST be
ignored by the endpoint when the openid schema is used.
If the requested schema is openid,
the UserInfo Claims MUST be returned as the members of a JSON object.
The Claims defined in can be returned,
as can additional Claims not specified there.
If a Claim is not returned, that Claim Name SHOULD be
omitted from the JSON object representing the Claims; it
SHOULD NOT be present with a null or empty string value.
The sub (subject) Claim
MUST always be returned in the UserInfo Response.
NOTE: The UserInfo Endpoint response is not guaranteed to be about the
End-User identified by the sub (subject)
element of the ID Token.
The sub Claim in the UserInfo Endpoint response
MUST be verified to exactly match the
sub Claim in the ID Token
before using additional UserInfo Endpoint Claims.
When an error condition occurs, the UserInfo Endpoint returns
an Error Response as defined in Section 3 of
OAuth 2.0 Bearer Token Usage.
In addition to the error codes defined in Section 3.1 of OAuth 2.0 Bearer Token Usage, this specification defines the
following error codes:The requested schema is invalid or
unsupported.OpenID Connect Clients use scope values as defined in 3.3 of
OAuth 2.0 to specify what
access privileges are being requested for Access Tokens. The scopes associated
with Access Tokens determine what resources will be available when they are
used to access OAuth 2.0 protected endpoints. For OpenID Connect, scopes
can be used to request that specific sets of information
be made available as Claim values.
OAuth 2.0 allows additional scope values to be specified, as extensions.
This specification describes only the scope values used by OpenID Connect.
Claims requested by the following scopes are treated by Authorization Servers
as Voluntary Claims.
OpenID Connect defines the following scope values:REQUIRED. Informs the Authorization Server
that the Client is making an OpenID Connect request. If the
openid scope value is not present,
the behavior is entirely unspecified.
OPTIONAL. This scope value
requests access to the End-User's default profile Claims.
These Claims are:
name,
family_name,
given_name,
middle_name,
nickname,
preferred_username,
profile,
picture,
website,
gender,
birthdate,
zoneinfo,
locale, and
updated_time.OPTIONAL. This scope value requests access to
the email and
email_verified Claims.OPTIONAL. This scope value requests access to
the address Claim.OPTIONAL. This scope value requests access to
the phone_number Claim.OPTIONAL. This scope value requests
that an OAuth 2.0 Refresh Token be issued that can be used to
obtain an Access Token that grants access to the End-User's
UserInfo Endpoint even when the user is not present (not logged in).Multiple scope values MAY be used by creating a space delimited, case
sensitive list of ASCII scope values.
The Claims requested by the
profile,
email,
address, and
phone scope values
are returned from the UserInfo Endpoint,
as described in ,
when a response_type value is used
that results in an Access Token being issued.
However, when the response_type value used is
id_token (which issues no Access Token),
the resulting Claims are returned in the ID Token.
In some cases, the End-User will be given the option to
have the OpenID Provider decline to provide some or all
information requested by Clients.
To minimize the amount of information that the user is being asked
to disclose, a Client may elect to
only request a subset of the information available from the
UserInfo Endpoint.The following is a non-normative example of a scope
Request.This specification defines a set of standard Claims.
They can be requested to be returned either in the
UserInfo Response or in the ID Token.
MemberTypeDescriptionsubstringSubject - Identifier for the End-User at the Issuer.namestringEnd-User's full name in displayable form including all name parts,
ordered according to End-User's locale and preferences.given_namestringGiven name or first name of the End-User.family_namestringSurname or last name of the End-User.middle_namestringMiddle name of the End-User.nicknamestringCasual name of the End-User that MAY or MAY not be the same as the
given_name. For instance, a nickname value of Mike
might be returned alongside a given_name
value of Michael.preferred_usernamestringShorthand name that the End-User wishes to be referred to at the RP, such as
janedoe or j.doe.
This value MAY be any valid JSON string including
special characters such as @,
/, or whitespace. This value MUST NOT
be relied upon to be unique by the RP.
(See .)profilestringURL of the End-User's profile page.picturestringURL of the End-User's profile picture.websitestringURL of the End-User's web page or blog.emailstringEnd-User's preferred e-mail address.
This value MUST NOT be relied upon to be unique by
the RP. (See .)email_verifiedbooleanTrue if the End-User's e-mail address has been verified; otherwise
false.genderstringEnd-User's gender. Values defined by this
specification are female and
male. Other values MAY be used
when neither of the defined values are applicable.birthdatestringEnd-User's birthday, represented as an
ISO 8601:2004YYYY-MM-DD
format. The year MAY be 0000, indicating that it is omitted.
To represent only the year, YYYY format is allowed. Note that
depending on the underlying platform's date related function, providing just year may
result in varying month and day, so the implementers should take this factor into account
to correctly process the dates. zoneinfostringString from zoneinfo time zone
database representing the End-User's time zone.
For example, Europe/Paris or
America/Los_Angeles.localestringEnd-User's locale, represented as a
BCP47 language tag.
This is typically an ISO 639-1 Alpha-2 language code in
lowercase and an ISO 3166-1
Alpha-2 country code in uppercase, separated by a dash. For
example, en-US or fr-CA.
As a compatibility note, some implementations have used an
underscore as the separator rather than a dash, for example,
en_US; Implementations MAY choose to
accept this locale syntax as well.phone_numberstringEnd-User's preferred telephone number.
E.164 is RECOMMENDED as the format of this Claim.
For example, +1 (425)
555-1212 or +56 (2) 687 2400.addressJSON objectEnd-User's preferred address. The value of the address member is a JSON structure containing some or all of
the members defined in . updated_timestringTime the End-User's information was last updated, represented as a
RFC 3339 datetime. For example,
2011-01-03T23:58:42+0000.For privacy reasons, OpenID Providers MAY elect to not return
values for some requested Claims.The sub (subject) Claim in the UserInfo Endpoint response MUST exactly match the
sub Claim in the ID Token, before using additional UserInfo Endpoint Claims.The UserInfo Endpoint MUST return Claims in JSON format unless a
different format was specified during Registration
.
The UserInfo Endpoint MAY return Claims in
JWT format, which can be signed and/or encrypted.
The UserInfo Endpoint MUST return a content-type header to indicate
the format that is being returned. The following are accepted content
types:Content-TypeFormat Returnedapplication/jsonplain text JSON objectapplication/jwtJSON Web Token (JWT)The following is a non-normative example of such a
response:
The components of a physical mailing address.
Implementations MAY return only a subset of the
fields of an address, depending upon
the information available and the End-User's privacy
preferences. For
example, the country and region might be returned without returning
more fine-grained address information.
Implementations MAY return just the full address
as a single string in the formatted sub-field,
or they MAY return just the individual component
fields using the other sub-fields,
or they MAY return both.
If both variants are returned,
they SHOULD be describing the same address,
with the formatted address indicating how the
component fields should be combined.
Full mailing address,
formatted for display or use with a mailing label.
This field MAY contain newlines. This is the
Primary Sub-Field for this field,
for the purposes of sorting and filtering.
Full street address component,
which may include house number, street name,
PO BOX, and multi-line extended street
address information. This field MAY contain newlines.City or locality component.State, province,
prefecture or region component.Zip code or
postal code component.Country name component.
Claims MAY be represented in multiple languages and scripts.
To specify the languages and scripts, BCP47 language tags are added to member names,
delimited by a # character. For example,
family_name#ja-Kana-JP expresses the
Family Name in Katakana in Japanese, which is commonly used to index
and represent the phonetics of the Kanji representation of the same
represented as family_name#ja-Hani-JP.
A claims_locales request can be used to
specify the preferred languages and scripts to use for the returned Claims.
describes how to request
that specific Claims use particular languages and scripts.
The sub (subject) Claim is the only Claim that a Client
can rely upon to be stable, since the sub
Claim MUST be locally unique and never reassigned within the Issuer
for a particular End-User, as described in .Therefore, the only guaranteed unique identifier for a given End-User is a
combination of the Issuer's identifier and the sub
Claim; other fields such as preferred_username
and email MUST NOT be used as unique identifiers
for a given End-User.All other Claims carry no such guarantees across different issuers in terms of
stability over time or uniqueness across users, and Issuers are permitted to
apply local restrictions and policies. For instance, an Issuer MAY re-use a
given preferred_username or
email address Claim across different
End-Users at different points in time, and the claimed
preferred_username or
email address for a given End-User MAY change
over time.
The claims parameter requests that specific Claims
be returned from the UserInfo Endpoint and/or in the ID Token.
It is represented as a JSON object containing lists of Claims being requested
from these locations.
Properties of the Claims being requested may also be specified.
Support for the claims parameter is OPTIONAL.
Should an OP not support this parameter and an RP uses it,
the OP SHOULD return a set of Claims to the RP that it believes would
be useful to the RP and the End-User using whatever heuristics it
believes are appropriate.
The claims_parameter_supported
Discovery result indicates whether the OP supports this parameter.
The claims parameter value is represented
in an OAuth 2.0 request as UTF-8 encoded JSON
(which ends up being form-urlencoded when passed as an OAuth parameter).
When used in a Request Object, per ,
the JSON is used as the value of the
claims member.
The top-level members of the Claims request JSON object are:
OPTIONAL.
Requests that the listed individual Claims be returned
from the UserInfo Endpoint.
If present, the listed Claims are being requested to be added to
any Claims that may have also been requested using
scope values.
If not present, the Claims being requested from the UserInfo Endpoint
are only those requested using scope values.
When the userinfo member is used,
the request MUST also use a response_type
value that results in an Access Token being issued
to use at the UserInfo Endpoint.
OPTIONAL.
Requests that the listed individual Claims be returned
in the ID Token.
If present, the listed Claims are being requested to be added to
the default Claims in the ID Token.
If not present, the default ID Token Claims are requested.
Other members MAY be present and if so, SHOULD understood by
both parties.
An example Claims request is as follows:
Note that a Claim that is not in the standard set defined in
, the (example)
http://example.info/claims/groups Claim,
is being requested.
Using the claims parameter is the only
way to request Claims outside the standard set.
It is also the only way to request specific combinations of the
standard Claims that can not be specified using scope values.
The userinfo and
id_token members of the
claims request both are JSON objects
with the names of the individual Claims being requested as the member names.
The member values MUST be one of the following:
Indicates that this Claim is being requested in the default manner.
In particular, this is a Voluntary Claim.
For instance, the Claim request:
requests the given_name Claim
in the default manner.
Used to provide additional information about the Claim being
requested. This specification defines the following members:
OPTIONAL.
Indicates whether the Claim being requested is an Essential Claim.
If the value is true,
this indicates that the Claim is an Essential Claim.
For instance, the Claim request:
can be used to specify that it is Essential to return an
auth_time Claim value.
If the value is false,
it indicates that it is a Voluntary Claim.
The default is false.
By requesting Claims as Essential Claims
the Client indicates to the End-User
that releasing these Claims will ensure a smooth authorization
for the specific task requested by the End-User.
Note that even if the Claims are not available because
the End-User did not authorize their release or they are not present,
the Authorization Server MUST NOT generate an error when
Claims are not returned, whether they are Essential or Voluntary.
OPTIONAL.
Requests that the Claim be returned with a particular value.
For instance the Claim request:
can be used to specify that the request apply to the End-User
with subject identifier 248289761001.
OPTIONAL.
Requests that the Claim be returned with one of a set of values,
with the values appearing in order of preference.
For instance the Claim request:
specifies that it is Essential that the acr
Claim be returned with either the value
urn:mace:incommon:iap:silver or
urn:mace:incommon:iap:bronze.
Other members MAY be defined to provide additional
information about the requested Claims,
and if so, SHOULD be understood by both parties.
Note that when the claims request parameter
is supported, the scope values that request Claims, as defined in
, are effectively shorthand methods for
requesting sets of individual Claims.
For example, using the scope value openid email
and a response_type that returns an Access Token
is equivalent to using the scope value openid
and the following request for individual Claims.
Equivalent of using the email scope value:
As described in ,
Claims MAY be represented in multiple languages and scripts.
Within a request for individual Claims, requested languages and scripts
for particular Claims may be requested by including Claim Names
that contain #-separated
BCP47 language tags
in the Claims request, using the Claim Name syntax specified in
.
For example, a Family Name in Katakana in Japanese
can be requested using the Claim Name
family_name#ja-Kana-JP
and a Kanji representation of the Family Name in Japanese
can be requested using the Claim Name
family_name#ja-Hani-JP.
The UserInfo Endpoint MAY return the
following three types of Claims:Claims that are directly asserted by
the OpenID Provider.Claims that are asserted by a
Claims Provider other than the OpenID Provider but are returned
by OpenID Provider.Claims that are asserted by a
Claims Provider other than the OpenID Provider but are returned
as references by the OpenID Provider.The UserInfo Endpoint MUST support Normal Claims.Aggregated and Distributed Claims support is OPTIONAL.Normal Claims are represented as members in a JSON object. The
Claim Name is the member name and the Claim Value is the member
value.The following is a non-normative response containing Normal Claims:Aggregated and distributed Claims are represented by
using special _claim_names and
_claim_sources members
of the JSON object containing the Claims.
JSON object whose member
names are the Claim Names for the Aggregated and Distributed
Claims. The member values are references to the member names
in the _claim_sources member from which
the actual Claim Values can be retrieved.
JSON object whose
member names are referenced by the member values of the
_claim_names member. The member values
contain sets of Aggregated Claims or reference locations for
Distributed Claims. The member values can have one of the
following formats depending on whether it is providing
Aggregated or Distributed Claims:
JSON object that MUST
contain the JWT member whose value is a JWT that MUST contain all the Claims
in the _claim_names object that references the
corresponding _claim_sources member. Other members MAY
be present if they are understood by both parties.
REQUIRED.
JWT containing Claim values.
JSON object that
contains the following members and values:
REQUIRED.
OAuth 2.0 resource endpoint from which the associated
Claim can be retrieved. The endpoint URL MUST return
the Claim as a JWT.OPTIONAL.
Access Token
enabling retrieval of the Claims from the endpoint URL
by using the OAuth 2.0 Bearer Token Usage
protocol. Claims SHOULD be requested using
the Authorization Request header field and Claims
Sources MUST support this method. If the Access Token
is not available, Clients MAY need to retrieve the
Access Token out of band or use an a priori Access Token
that was negotiated between the Claim Source and
Client, or the Claim Source MAY reauthenticate the
End-User and/or reauthorize the Client.
In this non-normative example, Claims from Claims Provider A
are combined with other Claims held by the OpenID provider, with the
Claims from Claims Provider A being returned as Aggregated Claims.
In this example, these Claims about Jane Doe have been issued by
Claims Provider A:
Claims Provider A signs the JSON Claims, representing them in a signed JWT:
jwt_header.jwt_part2.jwt_part3.
It is this JWT that is used by the OpenID Provider.
In this example, this JWT containing Jane Doe's Aggregated Claims
from Claims Provider A is combined with other Normal Claims,
and returned as the following set of Claims:
In this non-normative example, the OpenID Provider combines
Normal Claims that it holds with references to Claims held by
two different Claims Providers, B and C, incorporating references
to some of the Claims held by B and C as Distributed Claims.
In this example, these Claims about Jane Doe are held by
Claims Provider B (Jane Doe's bank):
Also in this example, this Claim about Jane Doe is held by
Claims Provider C (a credit agency):
The OpenID Provider returns Jane Doe's Claims along with references
to the Distributed Claims from Claims Provider B and Claims Provider C
by sending the Access Tokens and URLs of locations from which the
Distributed Claims can be retrieved:
Provider's Discovery documents SHOULD list their supported identifier types in the
subject_types_supported element.
If there is more than one type listed in the array, the Client MAY elect to
provide its preferred identifier type using the
subject_type parameter during Registration.
The types supported by this specification are:
This provides the same sub (subject) value to all Clients. It is the default if
the provider has no subject_types_supported element in its discovery document.
This provides a different sub value to each Client, to prevent
correlation of the user's activities by Clients without the user's permission.The OpenID Provider MUST calculate a unique
sub (subject) value for each
Sector Identifier. The subject value MUST NOT be reversible
by any party other than the OpenID Provider.Providers who use pairwise sub values SHOULD
support the sector_identifier_uri in
Dynamic Client Registration.
It provides a way for a group of websites under common administrative
control to have consistent pairwise sub
values independent of the individual domain names.
It also provides a way for Clients to change
redirect_uri domains without having to
reregister all of their users.If the Client has not provided a value for
sector_identifier_uri in
Dynamic Client Registration,
the Sector Identifier
used for pairwise identifier calculation is the host component
of the registered redirect_uri.
If there are multiple hostnames in the registered
redirect_uris, the Client MUST register a
sector_identifier_uri.When a sector_identifier_uri
is provided, the host component of that URL is used as
the Sector Identifier for the pairwise identifier calculation.
The value of the sector_identifier_uri
must be a URL using the https scheme that points to
a JSON file containing an array of
redirect_uri values.
The values of the registered redirect_uris
must be included in the elements of the array,
or the registration MUST fail.
A number of algorithms can be used by OpenID Providers to
calculate pairwise identifiers.
Three example methods are:
The Sector Identifier can be concatenated with a local account ID and a salt
value that is kept secret by the Provider. The concatenated string is then
hashed using an appropriate algorithm.
Calculate sub = SHA-256 ( sector_identifier | local_account_id | salt ).
The Sector Identifier can be concatenated with a local account ID and a salt
value that is kept secret by the Provider. The concatenated string is then
encrypted using an appropriate algorithm.
Calculate sub = AES-128 ( sector_identifier | local_account_id | salt ).
The Issuer creates a Globally Unique Identifier (GUID) for the pair of
Sector Identifier and local account ID and stores this value.
The request parameter
enables OpenID Connect requests to be passed in a single,
self-contained parameter and to be signed and optionally encrypted.
It represents the request as JWT whose Claims are the request parameters
specified in .
This JWT is called a Request Object.
Support for the request parameter is OPTIONAL.
The request_parameter_supported
Discovery result indicates whether the OP supports this parameter.
Should an OP not support this parameter and an RP uses it,
the OP MUST return the request_not_supported
error.
When the request parameter is used,
the OpenID Connect request parameter values contained in the JWT
supersede those passed using the OAuth 2.0 request syntax.
However, some parameters MAY be passed using the OAuth 2.0 request syntax
even when a Request Object is used;
this would typically be done to enable a cached,
pre-signed (and possibly pre-encrypted) Request Object value
to be used containing the fixed request parameters, while parameters that
may vary with each request, such as state and
nonce, are passed as OAuth 2.0 parameters.
Even if a scope parameter
is present in the Request Object,
a scope parameter MUST always be passed using
the OAuth 2.0 request syntax containing the
openid scope value to indicate to the
underlying OAuth 2.0 logic that this is an OpenID Connect request.
The Request Object MAY be signed or unsigned (plaintext).
When it is plaintext, this is indicated by use of the
none algorithm
in the JWS header. If signed, the Request Object
SHOULD contain the Claims
iss (issuer)
and aud (audience) as members,
with their semantics being as defined in the
JWT specification.
The Request Object MAY also be encrypted using JWE,
with nested signing and encryption
performed as described in the JWT specification.
request and
request_uri parameters
MUST NOT be included in Request Objects.
An example set of Request Object Claims before
base64url encoding and JWS signing is as follows:
The request_uri parameter enables
OpenID Connect requests to be passed by reference, rather than by value.
This parameter is used identically to the
request parameter, other than that
the Request Object is retrieved from the resource at the specified URL,
rather than passed by value.
The request_uri_parameter_supported
Discovery result indicates whether the OP supports this parameter.
When the request_uri parameter is used,
the OpenID Connect request parameter values contained in the referenced JWT
supersede those passed using the OAuth 2.0 request syntax.
However, some parameters MAY be passed using the OAuth 2.0 request syntax
even when a request_uri is used;
this would typically be done to enable a cached,
pre-signed (and possibly pre-encrypted) Request Object value
to be used containing the fixed request parameters, while parameters that
may vary with each request, such as state and
nonce, are passed as OAuth 2.0 parameters.
Even if a scope parameter
is present in the referenced Request Object,
a scope parameter MUST always be passed using
the OAuth 2.0 request syntax containing the
openid scope value to indicate to the
underlying OAuth 2.0 logic that this is an OpenID Connect request.
Servers MAY cache the contents of the resources referenced by request URIs.
If the contents of the referenced resource could ever change,
the URI SHOULD include the base64url encoded SHA-256 hash of the
referenced resource contents as the fragment component of the URI.
If the fragment value used for a URI changes, that signals the server
that any cached value for that URI with the old fragment value
is no longer valid.
Note that Clients MAY pre-register
request_uri values using the
request_uris parameter defined in
Section 2 of the OpenID Connect
Dynamic Client Registration 1.0 specification.
There are several reasons that one might choose to use the
request_uri parameter:
The set of request parameters can become large, and may exceed browser
URI size limitations. Passing the request parameters by reference
can solve this problem.
Passing a request_uri value, rather than
a complete request by value, may reduce request latency.
Most requests for Claims from an RP are constant.
The request_uri is a way of creating
and sometimes also signing and encrypting a constant set of
request parameters in advance.
(The request_uri value becomes an "artifact"
representing a particular fixed set of request parameters.)
Pre-registering a fixed set of request parameters at registration time
enables OPs to cache and pre-validate the request parameters at
registration time, meaning they need not be retrieved at request time.
Parameter names and values MAY be JSON serialized into a JSON
structure.The parameters are serialized into a JSON structure by adding each
parameter at the highest structure level. Parameter names and string
values are included as JSON strings. Numerical values are included as
JSON numbers. Each parameter MAY have a JSON structure as its value.Following is a non-normative example of such
serialization:Depending on the transport through which the messages are sent, the
integrity of the message may not be guaranteed and the originator of the
message may not be authenticated. To mitigate these risks,
the Request Object, Token Request, ID Token, and UserInfo Response
MAY utilize JSON Web Signature
(JWS) to sign the contents.To achieve message confidentiality,
the Request Object, Token Request, ID Token, and UserInfo Response
MAY use
JSON Web Encryption (JWE) to encrypt the
content.When the message is both signed and
encrypted, it MUST be
signed first and then encrypted,
with nesting performed in the same manner as
specified for JWTs .
Note that all JWE encryption methods perform integrity checking.The server advertises its supported signing and encryption algorithms
in its discovery document.
The algorithm identifiers are specified in JWA.
The related elements are:
JSON array containing a list of the JWS signing algorithms
(alg values)
supported by the UserInfo Endpoint
to encode the Claims in a JWT .
JSON array containing a list of the JWE encryption algorithms
(alg values)
supported by the UserInfo Endpoint
to encode the Claims in a JWT .
JSON array containing a list of the JWE encryption algorithms
(enc values)
supported by the UserInfo Endpoint
to encode the Claims in a JWT .
JSON array containing a list of the JWS signing algorithms
(alg values)
supported by the Authorization Server for the ID Token
to encode the Claims in a JWT .
JSON array containing a list of the JWE encryption algorithms
(alg values)
supported by the Authorization Server for the ID Token
to encode the Claims in a JWT .
JSON array containing a list of the JWE encryption algorithms
(enc values)
supported by the Authorization Server for the ID Token
to encode the Claims in a JWT .
JSON array containing a list of the JWS signing algorithms
(alg values)
supported by the Authorization Server for
the Request Object.
Servers SHOULD support none and RS256.
JSON array containing a list of the JWE encryption algorithms
(alg values)
supported by the Authorization Server for
the Request Object.
JSON array containing a list of the JWE encryption algorithms
(enc values)
supported by the Authorization Server for
the Request Object.
JSON array containing a list of the JWS signing algorithms
(alg values)
supported by the Token Endpoint for the private_key_jwt
and client_secret_jwt methods
to encode the JWT .
Servers SHOULD support RS256.The Client registers its required algorithms for Signing and Encryption
using the following Registration parameters:OPTIONAL.
JWS signature algorithm required for Request Objects
by the Authorization Server. All Request Objects from
this client_id MUST be rejected if not signed by this algorithm.
Servers SHOULD support RS256.OPTIONAL.
JWS signature algorithm required for UserInfo Responses.
If this is specified the response will be
JWT serialized.OPTIONAL.
JWE alg
algorithm required for UserInfo Responses.
If this is requested in
combination with signing, the response
MUST be signed first then encrypted.
If this is specified, the response will be
JWT serialized.OPTIONAL.
JWE enc
algorithm required for UserInfo Responses.
If userinfo_encrypted_response_alg is specified
the default for this value is A128CBC+HS256.
OPTIONAL.
JWS signature algorithm required
for ID Tokens issued to this client_id.
The default if not specified is RS256.
The public key for validating the signature is provided by retrieving the
document from the
jwks_uri element from discovery.OPTIONAL.
JWE alg algorithm
required for ID Tokens issued to this client_id.
If this is requested, the response MUST be signed then encrypted.
The default if not specified is no encryption.OPTIONAL.
JWE enc
algorithm required for
ID Tokens issued to this client_id.
If id_token_encrypted_response_alg is specified
the default for this value is A128CBC+HS256.
The OpenID Provider provides its public keys during Discovery
using the following element:
REQUIRED.
URL of the OP's JSON Web Key Set document
that contains the Server's signing key(s)
that are used for signing responses to the Client.
The JWK Set MAY also contain the Server's encryption key(s)
that are used by the Client to encrypt requests to the Server.
When both signing and encryption keys are made available, the use (Key Use) parameter
value is REQUIRED for all keys in the document to indicate each key's intended usage.
Likewise, the Client can provide its public keys during Registration
using the following element:
OPTIONAL.
URL for the Client's JSON Web Key Set document
containing key(s) that are used for signing requests to the OP.
The JWK Set MAY also contain the Client's encryption keys(s)
that are used by the OP to encrypt the responses to the Client.
When both signing and encryption keys are made available, the use (Key Use) parameter
value is REQUIRED for all keys in the document to indicate each key's intended usage.
In addition to the Key Types defined in JSON Web Algorithms
the jwks_uri JWK Set can also contain a PKIX
Key Type, which is a key type used to enable a JWK to contain a chain of PKIX certificates.
[[ Note: The PKIX Key Type is derived from the
JSON Web Key (JWK) for PKIX Certificates
specification, which is an early work in progress.
In the future, should this functionality be incorporated into
a JOSE working group specification,
it would then no longer be replicated in this document. ]]
The PKIX Key Type defines the following JWK parameters:
REQUIRED. The value of the kty parameter MUST be
PKIX.REQUIRED. Contains a chain of one or more PKIX certificates .
The certificate chain is represented as a JSON array of certificate value strings. Each string in the array
is a DER PKIX certificate encoded as base64
(note: not base64url). The array MUST have at least one value, which MUST be the PKIX certificate of the actor
(e.g., the singer of a , or a recipient of a ).
Each additional value of the array (if any) MUST be the PKIX certificate that certifies the
previous certificate.
The PKIX key type enables the same key to be represented as an X.509 certificate as well as a simple JWK
formatted bare key in the same document. When the same key is published in both formats, the values of the
kid (Key ID), use (Key Use) and
alg (Algorithm) parameters MUST be the same for both.
When both signing and encryption keys are made available, the use (Key Use) parameter
value is REQUIRED for all keys in the JWK Set at the
jwks_uri to indicate each key's intended usage.
Although some algorithms allow the same key pair to be used for both signatures and encryption, doing so is
NOT RECOMMENDED, as it is less secure.
The following is a non-normative example of a jwks_uri document
with one RSA signing key represented using both the RSA and
PKIX key types:The signing party MUST select a signature algorithm
based on the supported algorithms of the recipient in .
When using RSA or ECDSA Signatures,
the alg
Claim of the JWS header MUST be set to the appropriate algorithm
as defined in JSON Web Algorithms.
The private key MUST be the one associated with the
Public Signing Key provided in
.
If there are multiple keys in the referenced JWK document, a
kid value MUST be provided in the JWS header.
The key usage of the respective keys MUST support signature.
When using MAC-based signatures,
the alg
Claim of the JWS header MUST be set to a MAC algorithm,
as defined in JSON Web Algorithms.
The MAC key used is
the bytes of the UTF-8 representation of
the client_secret value.
See for a discussion of
entropy requirements for client_secret values.
See for Security Considerations
about the need for signed requests.
Rotation of signing keys can be accomplished with the following approach. The signer publishes
its keys in a JWK Set at the jwks_uri location
and includes the kid of the
signing key in the JWS header of each message
to indicate to the verifier which key is to be used to validate the signature. Keys can be rolled over
by periodically adding new keys to the JWK Set at jwks_uri.
The signer can begin using a new key at its
discretion and signals the change to the verifier using the kid value.
The verifier knows to go back to the jwks_uri
to re-retrieve the keys when it sees an unfamiliar
kid value. The JWK Set document at the jwks_uri
should retain recently decommissioned signing keys for a reasonable period of time to facilitate a
smooth transition.
The encrypting party MUST select an encryption algorithm
based on the supported algorithms of the recipient in .
All JWTs MUST be signed before encryption
to enable verification of the Issuer.
Use the link registered/discovered in
to retrieve the relevant key.
If there are multiple keys in the referenced JWK document, a
kid value MUST be provided in the JWE header.
Use the supported RSA KeyWrap algorithm to KeyWrap a random
Content Master Key to be used for encrypting
the signed JWT.
The key usage of the respective keys MUST include encryption.
Create an ephemeral Elliptic Curve public key for the epk
element of the JWE header.
Use the link registered/discovered in
to retrieve the relevant key.
If there are multiple keys in the referenced JWK document, a
kid value MUST be provided in the JWE header.
Use the ECDH-ES algorithm to KeyWrap a random
Content Master Key to be used for encrypting
the signed JWT.
The key usage of the respective keys MUST support encryption.
The symmetric encryption key is derived from the
client_secret value by
using a left truncated SHA-256 hash of
the bytes of the UTF-8 representation of
the client_secret.
The SHA-256 value MUST be left truncated to the appropriate bit length
for the AES KeyWrap algorithm used,
for instance, to 128 bits for A128KW.
See for Security Considerations
about the need for encrypted requests.
Rotating encryption keys is necessarily a different process than for signing keys because
the encrypting party starts the process and thus cannot rely on a change in kid as a signal
to know that keys need to change. The encrypting party still uses the kid header in the JWE
to tell the decrypting party which private key to use to decrypt, however, the encrypting party
needs to first select the most appropriate key from those provided in the JWK Set at
jwks_uri. To rotate keys, the decrypting party can publish new keys
at jwks_uri and remove from the JWK Set those that are being decommissioned.
The jwks_uri should include a Cache-Control
header in the response that contains a max-age directive,
as defined in RFC 2616,
which allows the encrypting party to safely cache the JWK Set and not have to re-retrieve
the document for every encryption event. The decrypting party should remove decommissioned keys
from the JWK Set at jwks_uri but retain them internally for some reasonable
period of time, coordinated with the cache duration, to facilitate a smooth transition between keys
by allowing the encrypting party some time to obtain the new keys. The cache duration should also
be coordinated with the issuance of new signing keys as described in .
If any of the validation procedures defined in this specification fail, any operations requiring
the information that failed to correctly validate MUST be aborted and
the information that failed to validate MUST NOT be used.
Authorization Request Validation consists of two main
steps: (1) decryption and signature validation of
the value of request or
the content of request_uri,
and (2) parameter validation.
If a Request Object was sent in the request parameter or by reference in the
request_uri parameter, the
Request Object MUST validate as
JWS or JWE
encoded objects,
for which nested encryption and signing may have been performed
in the manner described in the JWT specification.If the Authorization Server has advertised JWE encryption algorithms
in the request_object_encryption_alg_values_supported and
request_object_encryption_enc_values_supported elements of its
Discovery Document, these are used by the Client to encrypt the JWT.
The Authorization Server MUST decode the JWT in accordance with
the JSON Web Encryption specification.
The result MAY be either a signed or unsigned (plaintext) Request Object.
In the former case, signature validation MUST be performed
as defined in .
The Authorization Server MUST return the error if there is a decryption error.To perform Signature Validation,
the alg parameter in the JWS header MUST match the value
of the request_object_signing_alg set during
Client Registration or a value that was
pre-registered by other means.The signature must be validated against the key registered for that client_id
and algorithm, in accordance with the
JSON Web Signature specification.The Authorization Server MUST return the Authorization Error Response
if there is a signature validation error.The Authorization Server MUST construct the Authorization Request Message
from the Request Object
and the OAuth 2.0 Authorization Request parameters.
If the same parameter exists both in
the Request Object and the OAuth Authorization Request parameters,
the parameter in the Request Object is used.
Using this Authorization Request Message, the Authorization Server performs
the following steps of the request validation:
The Authorization Server MUST validate all the
OAuth 2.0 parameters according to the OAuth 2.0 specification.
The Authorization Server MUST verify that all the required parameters
are present.
If the sub (subject) Claim
as a member of id_token element
is requested with a specific value,
the Authorization Server MUST only send a positive response if that user
has an active session with the Authorization Server.
The Authorization Server MUST not reply with an ID Token or
Access Token for a different user,
even if they have an active session with the Authorization Server.
If the acr Claim is requested
as an Essential Claim for the ID Token
with a values parameter requesting
specific Authentication Context Class Reference values, then
the Authorization Server MUST return an acr
Claim value that matches one of the requested values.
The Authorization Server MAY ask the user to re-authenticate
with additional factors
to meet this requirement. If this is an Essential Claim and the
requirement cannot be met, then the Authorization Server MUST
treat that outcome as a failed authentication attempt.
The Client MAY request this Claim as an optional Claim
by using the acr_values request parameter
or by not including "essential": true in the individual
acr Claim request.
If the Claim is not Essential and the requested value for
the user cannot be provided, the Authorization Server SHOULD return
the session's current acr as
the value of the acr Claim.
If the Claim is not Essential, the Authorization Server is not required to
provide this Claim in its response.
If the Authorization Server encounters any error,
it MUST return the error response.To validate the ID Token in the Authorization or Token Endpoint Response, the Client
MUST do the following:If the Client has provided an
id_token_encrypted_response_alg
parameter during Registration, decrypt the ID Token
using the key pair specified during Registration.
The Client MUST validate that the
aud (audience) Claim
contains its client_id value
registered at the Issuer identified by the
iss (issuer) Claim
as an audience. The aud (audience) Claim may contain an array with more than one element.
The ID Token MUST be rejected if the ID Token does not list
the Client as a valid audience, or if it contains additional audiences not trusted by the Client.
If the token contains multiple audiences or contains
an azp (authorized presenter) Claim,
the Client SHOULD verify
the identity of the presenter. The authorized presenter of the token is
identified by an azp Claim in the token.
The OAuth 2.0 Assertion Profile, a direct connection to the Token Endpoint or other extension
may be used to identify the presenter.If the id_token is received via direct
communication between the Client and the Token Endpoint, the TLS server
validation MAY be used to validate the issuer in place of
checking the token signature.
The Client MUST validate the signature of all other ID Tokens according to
JWS using the algorithm specified in the
alg parameter of the JWT header.The alg value SHOULD be the default of
RS256
or the algorithm sent by the Client
in the id_token_signed_response_alg parameter
during Registration.If the alg parameter of the JWT header is a MAC based algorithm such as
HS256, HS384,
or HS512,
the bytes of the UTF-8 representation of
the client_secret corresponding to the
client_id contained in the
aud (audience) Claim are used as the key
to validate the signature. Multiple audiences are not supported for MAC based algorithms.For other Signing algorithms, the Client must use the signing key provided
in Discovery by the Issuer.
The issuer must exactly match the value of the
iss (issuer) Claim.The current time MUST be less than the value of the
exp Claim.The iat Claim can be used to reject tokens that
were issued too far away from the current time, limiting the amount of
time that nonces must be stored to prevent attacks.
The acceptable range is Client specific.If a nonce value was sent in the Authorization Request,
a nonce Claim MUST be present
and its value checked to verify that
it is the same value as the one that was sent in the Authorization Request.
The Client SHOULD check the nonce value
for replay attacks.
The precise method for detecting replay attacks is Client specific.If the acr Claim was requested, the
Client SHOULD check that the asserted Claim Value is appropriate.
The meaning and processing of
acr Claim Values is out of scope for this specification.
If the auth_time Claim was requested,
either through a specific request for this Claim
or by using the max_age parameter,
the Client SHOULD check the auth_time Claim
value and request re-authentication if it determines too much time
has elapsed since the last End-User authentication.
To validate the UserInfo Response, the Client MUST do
the following:If the Client has provided a
userinfo_encrypted_response_alg
parameter during Registration, decrypt the UserInfo Response
using the key pair specified during Registration.If the response was signed, the Client SHOULD validate the
signature according to JWS.Check that the OP that responded was the intended OP
through a TLS server certificate check, per
RFC 6125.To validate an Access Token issued from the Authorization Endpoint with an ID Token in
response to a request containing a response_type of
token id_token or code token id_token,
the Client SHOULD do the following:Hash the access_token
with the hash algorithm specified in JWS for the
alg
parameter in the ID Token's JWS header.Take the left-most half of the hash and base64url encode it.The value of at_hash in the ID Token MUST
match the value produced in the previous step if at_hash
is present in the ID Token.To validate a code issued from the Authorization Endpoint with an ID Token in
response to a request containing a response_type of
code id_token or code token id_token, the Client SHOULD do the following:Hash the code
with the hash algorithm specified in JWS for the
alg
parameter in the ID Token's JWS header.Take the left-most half of the hash and base64url encode it.The value of c_hash in the ID Token MUST
match the value produced in the previous step if c_hash
is present in the ID Token.
The offline_access scope value requests
that an OAuth 2.0 Refresh Token be issued that can be used to
obtain an Access Token that grants access to the End-User's
UserInfo Endpoint even when the user is not present (not logged in).
When offline access is requested, a prompt
parameter value of consent MUST be used.
The user MUST always explicitly consent to the return of a Refresh Token
that enables offline access.
A previously saved user consent is not sufficient to grant offline access.
Upon receipt of a scope parameter containing the
offline_access value, the Authorization Server:
MUST ensure that the prompt parameter contains consent; if the prompt parameter
does not contain consent then
it MUST ignore the offline_access request,
MUST ignore the offline_access request
if the Client is not requesting a response_type of
code or code id_token.
MUST explicitly receive user consent for all Clients when
the registered application_type
is web,
SHOULD explicitly receive user consent for all Clients when
the registered application_type
is native.
The use of Refresh Tokens is not exclusive to the
offline_access use case.
The Authorization Server MAY grant Refresh Tokens
in other contexts that are beyond the scope of this specification.
OpenID Connect supports Self-Issued OpenID Providers -
personal OPs that issue self-signed ID Tokens.
Self-Issued OPs use the special Issuer Identifier
https://self-issued.me.
If the input identifier for the discovery process
contains the domain self-issued.me, dynamic discovery is not performed.
Instead, then the following static configuration values are used:
Note: The OpenID Foundation may consider hosting a site https://self-issued.me/
that returns the above static configuration file so that the Client would not
need any special treatment for discovery of the Self-Issued OP.
When using a Self-Issued OP, the Client is deemed to have
registered with the OP and obtained following Client Registration Response.
redirect_uri value of the Client.
0
Note: The OpenID Foundation may consider hosting the (stateless) endpoint
https://self-issued.me/registration/1.0/
that returns the response above so that the Client would not need to
perform any special processing for registration of a Self-Issued OP.
The registration request parameter
is used by the Client to provide information about itself to a Self-Issued OP
that would normally be provided to an OP during Dynamic Client Registration.
The value is a JSON object containing name/value pairs defined in
Section 2.1 of the
OpenID Connect Dynamic Client Registration 1.0
specification.
None of this information is required by Self-Issued OPs,
so the use of this parameter is OPTIONAL.
The registration parameter value is represented
in an OAuth 2.0 request as UTF-8 encoded JSON
(which ends up being form-urlencoded when passed as an OAuth parameter).
When used in a Request Object, per ,
the JSON is used as the value of the
registration member.
The Registration parameters that would typically be used in requests
to Self-Issued OPs are
policy_uri,
tos_uri, and
logo_uri.
If the Client uses more than one redirect URI, the
redirect_uris
parameter would be used to register them.
Finally, if the Client is requesting encrypted responses, it would use the
jwks_uri,
id_token_encrypted_response_alg and
id_token_encrypted_response_enc parameters.
The Client sends the Authorization Request to the Authorization Endpoint
with the following parameters:
REQUIRED. Constant string value id_token.
REQUIRED.
Client ID value for the Client, which in this case contains the
redirect_uri value of the Client.
Since the Client's
redirect_uri URI value is communicated
as the Client ID,
a redirect_uri parameter
is NOT REQUIRED to also be included in the request.
REQUIRED.
scope parameter value,
as specified in .
OPTIONAL.
Previously issued ID Token
passed to the Authorization Server as a hint about the End-User's
current or past authenticated session with the Client.
This SHOULD be present when prompt=none is used.
If the End-User identified by the ID Token is logged in or is logged in by the
request, then the Authorization Server returns a positive response;
otherwise, it SHOULD return a negative response.
If the ID Token received by the RP is encrypted, the Client MUST
decrypt the signed ID Token contained within the encrypted ID Token.
The Client MAY re-encrypt the signed ID token to the Authentication Server
using a key that enables the server to decrypt the ID Token.
In this case, the sub (subject)
of the signed ID Token MUST be sent as the
kid (Key ID) of the JWE.
Encrypting content to Self-Issued OPs is currently only supported when
the OP's JWK key type is RSA and the encryption
algorithm used is RSA1_5.
OPTIONAL.
This parameter is used to request that specific Claims be returned.
The value is a JSON object, as specified in .
OPTIONAL.
This parameter is used by the Client to provide information about itself
to a Self-Issued OP that would normally be provided to an OP during
Dynamic Client Registration,
as specified in .
OPTIONAL.
Request Object value, as specified in .
The Request Object may be encrypted in a JWE by the Client.
In this case, the sub (subject) of
a previously issued ID Token for this Client
MUST be sent as the kid (Key ID) of the JWE.
Encrypting content to Self-Issued OPs is currently only supported when
the OP's JWK key type is RSA and the encryption
algorithm used is RSA1_5.
Other parameters MAY be sent.
Note that all Claims are returned in the ID Token.
The entire URL MUST NOT exceed 2048 bytes.
Following is a non-normative example (with line wraps for display purposes only):
The Self-Issued OpenID Provider response is the same as the normal implicit flow
response with the following refinements. Since it is an implicit flow
response, the response parameters will be returned in a fragment.
The iss (issuer) Claim value is
https://self-issued.me.
A sub_jwk Claim is present, with its value being
the public key value used to check the signature of the ID Token.
The sub (subject) Claim
value is the base64url encoded SHA-256 hash of
the concatenation of the bytes of the UTF-8 representations of
the base64url encoded key values in the
sub_jwk Claim.
When the kty value is
RSA, the key values
n and
e are concatenated in that order.
When the kty value is
EC, the key values
crv,
x, and
y are concatenated in that order.
No Access Token is returned for accessing a UserInfo Endpoint,
so all Claims returned must be in the ID Token.
If any of the validation procedures defined in this specification fail, any operations requiring
the information that failed to correctly validate MUST be aborted and
the information that failed to validate MUST NOT be used.
To validate the ID Token in the Authorization or Token Endpoint Response, the Client
MUST do the following:
The Client MUST validate that the value of the iss (issuer) Claim is https://self-isued.me.
If iss contains a different value,
the ID Token is not Self-Issued, and instead
it MUST be validated according to
.
The Client MUST validate that the
aud (audience) Claim
contains the value of the redirect_uri
that the Client sent in the authentication request as an audience.
The Client MUST validate the signature of the ID Token according to
JWS using the algorithm specified in the
alg parameter of the JWT header ,
using the key in the sub_jwk Claim;
the key is a bare key in JWK format
(not an X.509 certificate value).
The alg value SHOULD be the default of
RS256.
It may also be ES256.
The Client MUST validate that the sub (subject) Claim
value is the base64url encoded SHA-256 hash of
the concatenation of the bytes of the UTF-8 representations of
the base64url encoded key values in the
sub_jwk Claim.
When the kty value is
RSA, the key values
n and
e are concatenated in that order.
When the kty value is
EC, the key values
crv,
x, and
y are concatenated in that order.
The current time MUST be less than the value of the
exp Claim
(possibly allowing for some small leeway to account for clock skew).
The iat Claim can be used to reject tokens that
were issued too far away from the current time, limiting the amount of
time that nonces must be stored to prevent attacks.
The acceptable range is Client specific.
If a nonce value was sent in the Authorization Request,
a nonce Claim MUST be present
and its value of the checked to verify that
it is the same value as the one that was sent in the Authorization Request.
The Client SHOULD check the nonce value
for replay attacks.
The precise method for detecting replay attacks is Client specific.
The following is a non-normative example of a base64url decoded
Self-Issued ID Token
(with line wraps for display purposes only):
Processing some OpenID Connect messages requires comparing
values in the messages to known values. For example, the Claim
Names returned by the UserInfo Endpoint might be compared to
specific Claim Names such as sub. Comparing Unicode strings,
however, has significant security implications.
Therefore, comparisons between JSON strings and other Unicode
strings MUST be performed as specified below:
Remove any JSON applied escaping to produce an array of
Unicode code points.
Unicode Normalization MUST NOT
be applied at any point to either the JSON string or to
the string it is to be compared against.
Comparisons between the two strings MUST be performed as a
Unicode code point to code point equality comparison.
In several places, this specification uses space delimited
lists of strings. In all such cases, only the ASCII space
character (0x20) MAY be used for this purpose.
This specification defines features used by both Relying Parties and
OpenID Providers. Features that are mandatory to implement for
Relying Parties are already described in the
OpenID Connect Basic Client Profile 1.0 and
OpenID Connect Implicit Client Profile 1.0
specifications, and so are not discussed again here.
It is expected that some OpenID Providers will require
static, out-of-band configuration of RPs using them,
whereas others will support dynamic usage by RPs without
a pre-established relationship between them.
For that reason, the mandatory-to-implement features for OPs
are listed below in two groups:
the first for all OPs and the second for "Dynamic" OpenID Providers.
All OpenID Providers MUST implement the following features defined in this specification.
This list augments the set of features that are already listed elsewhere
as being "REQUIRED" or are described with a "MUST",
and so is not, by itself, a comprehensive set of implementation requirements for OPs.
OPs MUST support signing ID Tokens with the RSA SHA-256 algorithm
(an alg value of RS256).
All OPs that issue Access Tokens MUST support the UserInfo Endpoint,
as defined in .
(Self-Issued OPs do not issue Access Tokens.)
OPs must support the prompt parameter,
as defined in , including the specified
user interface behaviors such as none
and login.
OPs must support the display parameter,
as defined in .
(Note that the minimum level of support required for this parameter is
simply to have its use not result in an error.)
OPs MUST support requests for preferred languages and scripts
for the user interface and for Claims via the
ui_locales and
claims_locales request parameters,
as defined in .
(Note that the minimum level of support required for these parameters is
simply to have their use not result in errors.)
OPs MUST support returning the time at which the user authenticated
via the auth_time Claim,
as defined in .
OPs MUST support enforcing a maximum authentication age
via the max_age parameter,
as defined in .
OPs MUST support requests for specific
Authentication Context Class Reference values
via the acr_values parameter,
as defined in .
(Note that the minimum level of support required for this parameter is
simply to have its use not result in an error.)
In addition to the features listed above,
OpenID Providers supporting dynamic establishment of relationships with RPs
that they do not have a pre-configured relationship with
MUST also implement the following features defined in this and related specifications.
These OPs MUST support Discovery,
as defined in
OpenID Connect Discovery 1.0.
These OPs MUST support Dynamic Client Registration,
as defined in
OpenID Connect Dynamic Client Registration 1.0.
These OPs MUST publish their public keys as bare keys,
rather than in in X.509 format.
These OPs MUST support requests made using a Request Object
that is retrieved from a Request URI that is provided
with the request_uri parameter,
as defined in .
This specification is an abstract specification. It needs to be
bound to a protocol to be used in practice. One such example of
protocol binding is:
OpenID Connect Standard 1.0
- Protocol binding for the full set of OpenID Connect messagesThese related OpenID Connect specifications MAY OPTIONALLY be used in
combination with this specification to provide additional functionality:
OpenID Connect Discovery
1.0 - Dynamic discovery for user and Authorization Server
endpoints and informationOpenID Connect Dynamic Client
Registration 1.0 - Dynamic registration of OpenID Connect
Clients with OpenID ProvidersOpenID Connect Basic Client Profile 1.0 -
Protocol binding for a subset of the OpenID Connect Messages
that is intended for use by basic
Web-based Relying Parties using the
OAuth authorization_code grant type.OpenID Connect Implicit Client Profile 1.0 -
Protocol binding for a subset of the OpenID Connect Messages
that is intended for use by basic
Web-based Relying Parties using the OAuth implicit grant type.OpenID Connect Session Management
1.0 - Session management for OpenID Connect sessionsOAuth 2.0 Threat Model and
Security Considerations provides an extensive list of threats and controls
that applies to this standard as well.
ISO/IEC 29115
also provides threats and controls that
implementers should take into account.
In addition, this standard provides
additional control measures listed below. If appropriate measures are not taken, a request may be disclosed to
an attacker, posing security and privacy threats.In addition to what is stated in Section 5.1.1 of ,
this standard provides a way to provide the confidentiality of the request
end to end through the
use of request or request_uri
parameters, where the content of the request
is an encrypted JWT with the appropriate key and cipher.
This protects even against a compromised User-Agent
in the case of indirect request.A malicious Server may masquerade as the legitimate server
using various means. To detect such an attack, the Client needs to authenticate
the server. In addition to what is stated in Section 5.1.2 of ,
this standard provides a way to authenticate the Server through either the
use of Signed or Encrypted JWTs
with an appropriate key and cipher.An Attacker may generate a bogus token or modify the token content
(such as the authentication or
attribute statements) of an existing parseable token, causing the RP to grant
inappropriate access to the Client. For example, an Attacker may modify
the parseable token to extend the validity period; a Client may modify the
parseable token to have access to information that they should not be able to view.
There are two ways to mitigate this attack:The token can be digitally signed by the OP. The Relying
Party SHOULD validate the digital signature to verify that it was
issued by a legitimate OP.The token can be sent over a protected channel such as TLS.
See for more information on using TLS.
In this specification, the token is always sent over a TLS protected channel.
Note however, that this measure is only a defense against third party attackers
and is not applicable to the case where the Client is the attacker.Server response may contain authentication and attribute
statements that include sensitive Client information. Disclosure of the
response contents can make the Client vulnerable to other types of
attacks.The server response disclosure can be mitigated in the following two
ways:
Using the code response type.
The response is sent over a TLS protected
channel, where the Client is authenticated by the
client_id and
client_secret.For other response types,
the signed response can be encrypted with the Client's
public key or a shared secret as an encrypted JWT
with an appropriate key and cipher.A response may be repudiated by the server if the proper mechanisms are not in place.
For example, if a Server does not digitally sign a response, the Server can claim that it was not
generated through the services of the Server.To mitigate this threat, the response may be digitally signed by
the Server using a key that supports non-repudiation. The Client SHOULD validate
the digital signature to verify that it was issued by a legitimate
Server and its integrity is intact.Since it is possible for a
compromised or malicious Client to send a request to the wrong party,
a Client that was authenticated
using only a bearer token can repudiate any transaction.
To mitigate this threat, the Server MAY require that the
request be digitally signed by
the Client using a key that supports non-repudiation.
The Server SHOULD validate
the digital signature to verify that it was issued by a legitimate
Client and the integrity is intact.An Attacker uses the Access Token generated for one resource to
obtain access to a second resource.
To mitigate this threat, the Access Token should be audience
and scope restricted. One way of implementing it is to include
the identifier of the resource for whom it was generated as audience.
The resource verifies that
incoming tokens include its identifier as the audience of the
token.An Attacker attempts to use a one-time use token such as
an Authorization Code that has already
been used once with the intended Resource.
To mitigate this threat, the token SHOULD include a timestamp
and a short validity lifetime.
The Relying Party then checks the timestamp and lifetime values
to ensure that the token is currently valid.Alternatively, the server may record the state of the use of
the token and check the status for each request. In addition to the attack patterns described in
Section 4.4.1.1 of ,
an Authorization Code can be captured in the User-Agent where the TLS
session is terminated if the User-Agent is infected by malware.
However, capturing it is not useful as long as the profile
uses either Client authentication or an encrypted response.A user may attempt to impersonate a more
privileged user by subverting the communication channel between the
Token Endpoint and Client, for example by reordering the messages,
to convince the Token Endpoint
that his or her authorization grant corresponds to the grant sent on
behalf of the more privileged user. Responses to Token Requests are bound to the corresponding
requests by message order in HTTP, as both token and requests are
protected by TLS that can detect and disallow malicious reordering of
packets.A timing attack allows the attacker to
obtain an unnecessary large amount of information through the elapsed time
differences in the code paths taken by successful and unsuccessful decryption operations or
successful and unsuccessful signature validation of a message.
It can be used to reduce the effective key length of the
cipher used. Implementations should not terminate the validation process
at the instant of the finding an error but should continue
running until all the octets have been processed to avoid this attack.There are various crypto related attacks possible depending on the
method used for encryption and signature / integrity checking.
Implementers should consult the Security Considerations
for the JWT specification and
specifications that it references
to avoid the vulnerabilities
identified in these specifications.
Signatures over encrypted text are not considered valid
in many jurisdictions.
Therefore, for integrity and non-repudiation,
this specification requires signing
the plain text JSON Claims.OpenID Connect supports multiple issuers per Host and Port combination.
The issuer returned by discovery MUST exactly match the value of
iss in the ID Token.OpenID Connect treats the path component of any URI as
part of the user identifier. For instance, the subject
"1234" with an issuer of "https://example.com" is not
equivalent to the subject "1234" with an issuer of
"https://example.com/sales".
It is RECOMMENDED that only a single issuer per host be used.
Implementations MUST support TLS.
Which version(s) ought to be implemented will vary over
time, and depend on the widespread deployment and known
security vulnerabilities at the time of implementation.
At the time of this writing,
TLS version 1.2
is the most recent version, but has very limited actual
deployment, and might not be readily available in
implementation toolkits.
TLS version 1.0
is the most widely deployed version, and will give the
broadest interoperability.
To protect against information disclosure and tampering,
confidentiality protection MUST be applied using TLS
with a ciphersuite that provides confidentiality and
integrity protection.
Whenever TLS is used, a TLS server certificate check
MUST be performed, per RFC 6125.
Access Token grants are not revocable by the Authorization Server.
Access Token grant lifetimes SHOULD be kept to single use or
very short lifetimes.If access to the UserInfo Endpoint or other protected resources is required,
a Refresh Token should be used. The Client may then exchange the Refresh Token at
the Token Endpoint for a fresh short-lived Access Token that can be used to
access the resource.
The Authorization Server SHOULD clearly identify long-term grants to the User
during Authorization.
The Authorization Server SHOULD provide a mechanism for the user to revoke
Refresh Tokens granted to a Client.
In and , keys are derived
from the client_secret value.
Thus, when used with symmetric signing or encryption operations,
client_secret values MUST contain
sufficient entropy to generate cryptographically strong keys.
Also, client_secret values MUST also contain
at least the minimum of number of bytes required for MAC keys for the
particular algorithm used.
So for instance, for HS256, the
client_secret value MUST contain
at least 8 bytes (and almost certainly SHOULD contain more,
since client_secret values are
likely to use a restricted alphabet.
In some situations, Clients may need to use signed requests to ensure that
the desired request parameters are delivered to the OP without having
been tampered with. For instance, the max_age
and acr_values provide more assurance about
the nature of the authentication performed when delivered in signed requests.
In some situations, knowing the contents of an OpenID Connect request may,
in and of itself, reveal sensitive information about the End-User.
For instance, knowing that the Client is requesting a particular Claim or
that it is requesting that a particular authentication method be used
may reveal sensitive information about the End-User.
OpenID Connect enables requests to be encrypted to the OpenID Provider
to prevent such potentially sensitive information from being revealed.
The UserInfo Response typically contains Personally Identifiable
Information (PII). As such, End-User consent for the release of the information
for the specified purpose SHOULD be obtained at or prior to the
authorization time in accordance with relevant regulations. The purpose
of use is typically registered in association with the redirect_uris.Only necessary UserInfo data should be stored at the Client and the
Client SHOULD associate the received data with the purpose of use
statement.The Resource Server SHOULD make the UserInfo access log available to
the End-User so that the End-User can monitor who accessed his data.To protect the End-User from a possible correlation among Clients, the
use of a Pairwise Pseudonymous Identifier (PPID) as the sub SHOULD be considered.
This specification registers the Claims defined in
and in the IANA
JSON Web Token Claims registry
defined in .
Claim Name: name
Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
Specification Document(s): of this document
Claim Name: given_name
Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
Specification Document(s): of this document
Claim Name: family_name
Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
Specification Document(s): of this document
Claim Name: middle_name
Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
Specification Document(s): of this document
Claim Name: nickname
Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
Specification Document(s): of this document
Claim Name: preferred_username
Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
Specification Document(s): of this document
Claim Name: profile
Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
Specification Document(s): of this document
Claim Name: picture
Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
Specification Document(s): of this document
Claim Name: website
Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
Specification Document(s): of this document
Claim Name: email
Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
Specification Document(s): of this document
Claim Name: email_verified
Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
Specification Document(s): of this document
Claim Name: gender
Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
Specification Document(s): of this document
Claim Name: birthdate
Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
Specification Document(s): of this document
Claim Name: zoneinfo
Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
Specification Document(s): of this document
Claim Name: locale
Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
Specification Document(s): of this document
Claim Name: phone_number
Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
Specification Document(s): of this document
Claim Name: address
Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
Specification Document(s): of this document
Claim Name: updated_time
Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
Specification Document(s): of this document
Claim Name: azp
Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
Specification Document(s): of this document
Claim Name: nonce
Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
Specification Document(s): of this document
Claim Name: auth_time
Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
Specification Document(s): of this document
Claim Name: at_hash
Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
Specification Document(s): of this document
Claim Name: c_hash
Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
Specification Document(s): of this document
Claim Name: acr
Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
Specification Document(s): of this document
Claim Name: amr
Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
Specification Document(s): of this document
Claim Name: sub_jwk
Change Controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.net
Specification Document(s): of this document
This specification registers the following parameters
in the IANA
OAuth Parameters registry
defined in RFC 6749.
Parameter name: nonceParameter usage location: Authorization RequestChange controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.netSpecification document(s): of this documentRelated information: NoneParameter name: displayParameter usage location: Authorization RequestChange controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.netSpecification document(s): of this documentRelated information: NoneParameter name: promptParameter usage location: Authorization RequestChange controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.netSpecification document(s): of this documentRelated information: NoneParameter name: max_ageParameter usage location: Authorization RequestChange controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.netSpecification document(s): of this documentRelated information: NoneParameter name: ui_localesParameter usage location: Authorization RequestChange controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.netSpecification document(s): of this documentRelated information: NoneParameter name: claims_localesParameter usage location: Authorization RequestChange controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.netSpecification document(s): of this documentRelated information: NoneParameter name: id_token_hintParameter usage location: Authorization RequestChange controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.netSpecification document(s): of this documentRelated information: NoneParameter name: login_hintParameter usage location: Authorization RequestChange controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.netSpecification document(s): of this documentRelated information: NoneParameter name: acr_valuesParameter usage location: Authorization RequestChange controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.netSpecification document(s): of this documentRelated information: NoneParameter name: claimsParameter usage location: Authorization RequestChange controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.netSpecification document(s): of this documentRelated information: NoneParameter name: registrationParameter usage location: Authorization RequestChange controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.netSpecification document(s): of this documentRelated information: NoneParameter name: requestParameter usage location: Authorization RequestChange controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.netSpecification document(s): of this documentRelated information: NoneParameter name: request_uriParameter usage location: Authorization RequestChange controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.netSpecification document(s): of this documentRelated information: NoneParameter name: id_tokenParameter usage location: Authorization Response,
Access Token ResponseChange controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.netSpecification document(s): of this documentRelated information: None
This specification registers the following errors
in the IANA
OAuth Extensions Error registry
defined in RFC 6749.
Error name: invalid_redirect_uriError usage location: Authorization EndpointRelated protocol extension: OpenID ConnectChange controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.netSpecification document(s): of this documentError name: interaction_requiredError usage location: Authorization EndpointRelated protocol extension: OpenID ConnectChange controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.netSpecification document(s): of this documentError name: login_requiredError usage location: Authorization EndpointRelated protocol extension: OpenID ConnectChange controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.netSpecification document(s): of this documentError name: session_selection_requiredError usage location: Authorization EndpointRelated protocol extension: OpenID ConnectChange controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.netSpecification document(s): of this documentError name: consent_requiredError usage location: Authorization EndpointRelated protocol extension: OpenID ConnectChange controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.netSpecification document(s): of this documentError name: invalid_request_uriError usage location: Authorization EndpointRelated protocol extension: OpenID ConnectChange controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.netSpecification document(s): of this documentError name: invalid_request_objectError usage location: Authorization EndpointRelated protocol extension: OpenID ConnectChange controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.netSpecification document(s): of this documentError name: invalid_schemaError usage location: UserInfo EndpointRelated protocol extension: OpenID ConnectChange controller: OpenID Foundation Artifact Binding Working Group - openid-specs-ab@lists.openid.netSpecification document(s): of this documentUnicode Normalization Formsmarkdavis@google.comken@unicode.orgOpenID Connect Discovery 1.0Nomura Research Institute,
Ltd.Ping IdentityMicrosoftIllumilaOpenID Connect Dynamic Client Registration 1.0Nomura Research Institute,
Ltd.Ping IdentityMicrosoftJSON Web Token (JWT)MicrosoftPing IdentityNomura Research Institute, Ltd.JSON Web Signature (JWS)MicrosoftPing IdentityNomura Research Institute, Ltd.JSON Web Encryption (JWE)MicrosoftRTFM, Inc.Cisco Systems, Inc.JSON Web Key (JWK)MicrosoftJSON Web Algorithms (JWA)MicrosoftJSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0MicrosoftPing Identity Corp.SalesforceAssertion Framework for OAuth 2.0Ping Identity Corp.Salesforce.comMicrosoftMicrosoftISO/IEC FDIS 29115 --
Information technology - Security techniques - Entity authentication
assurance frameworkInternational Organization for StandardizationISO 639-1:2002. Codes for the representation of names of
languages -- Part 1: Alpha-2 codeInternational Organization for
StandardizationISO 3166-1:1997. Codes for the representation of names of
countries and their subdivisions -- Part 1: Country codesInternational Organization for
StandardizationISO 8601:2004. Data elements and interchange formats - Information interchange -
Representation of dates and timesInternational Organization for
StandardizationE.164: The international public telecommunication numbering planInternational Telecommunication UnionThe tz databasePublic DomainOAuth 2.0 Multiple Response Type Encoding PracticesGoogleGoogle FacebookOpenID Connect Basic Client Profile 1.0Nomura Research Institute, Ltd.Ping IdentityMicrosoftGoogleSalesforceOpenID Connect Implicit Client Profile 1.0Nomura Research Institute, Ltd.Ping IdentityMicrosoftGoogleSalesforceIllumilaOpenID Connect Standard 1.0Nomura Research Institute, Ltd.Ping IdentityMicrosoftGoogleSalesforceIllumilaOpenID Connect Session Management
1.0Nomura Research Institute, Ltd.Ping IdentityMicrosoftGoogleSalesforceIllumilaOpenID Authentication 2.0OpenID FoundationOpenID Provider
Authentication Policy Extension 1.0Six Apart, Ltd.548 4th StreetSan FranciscoCA94107USAdavid@sixapart.comhttp://www.sixapart.com/Microsoft CorporationOne Microsoft Way, Building 40/5138RedmondWA98052USAmbj@microsoft.comhttp://www.microsoft.com/Independentjohnny.bufu@gmail.comJanRain5331 SW Macadam Ave. #375PortlandOR97239USAcygnus@janrain.comhttp://janrain.com/Nomura Research Institute, Ltd.Marunouchi Kitaguchi Building, 1-6-5 MarunouchiChiyoda-kuTokyo100-0005Japann-sakimura@nri.co.jphttp://www.nri.co.jp/JSON Web Key (JWK) for PKIX Certificates (work in progress)Cisco Systems, Inc.mamille2@cisco.comPing Identity Corp.brian.d.campbell@gmail.comAs a successor version of OpenID, this specification heavily relies
on ideas explored in OpenID Authentication 2.0. Please
refer to Appendix C of OpenID Authentication 2.0 for the full list of
the contributors for that specification.In addition, the OpenID Community would like to thank the following
people for the work they have done in the drafting and editing of this
specification.Naveen Agarwal (naa@google.com), GoogleAmanda Anganes (aanganes@mitre.org), MitreCasper Biering (cb@peercraft.com), PeercraftJohn Bradley (ve7jtb@ve7jtb.com), Ping IdentityJohnny Bufu (jbufu@janrain.com), JanrainTim Bray (tbray@textuality.com), GoogleBrian Campbell (bcampbell@pingidentity.com), Ping IdentityBreno de Medeiros (breno@gmail.com), GooglePamela Dingle (pdingle@pingidentity.com), Ping IdentityVladimir Dzhuvinov (vladimir@nimbusds.com), NimbusDSGeorge Fletcher (george.fletcher@corp.aol.com), AOLRoland Hedberg (roland.hedberg@adm.umu.se), IndependentRyo Ito (ryo.ito@mixi.co.jp), mixi, Inc.Edmund Jay (ejay@mgi1.com), IllumilaMichael B. Jones (mbj@microsoft.com), MicrosoftTorsten Lodderstedt (t.lodderstedt@telekom.de), Deutsche TelekomNov Matake (nov@matake.jp), IndependentChuck Mortimore (cmortimore@salesforce.com), SalesforceAnthony Nadalin (tonynad@microsoft.com), MicrosoftHideki Nara (hideki.nara@gmail.com), Takt CommunicationsAxel Nennker (axel.nennker@telekom.de), Deutsche TelekomDavid Recordon (dr@fb.com), FacebookJustin Richer (jricher@mitre.org), MitreNat Sakimura (n-sakimura@nri.co.jp), Nomura Research Institute, Ltd.Luke Shepard (lshepard@fb.com), FacebookAndreas Akre Solberg (andreas.solberg@uninett.no), UNINETPaul Tarjan (pt@fb.com), FacebookCopyright (c) 2013 The OpenID Foundation.
The OpenID Foundation (OIDF) grants to any Contributor, developer,
implementer, or other interested party a non-exclusive, royalty free,
worldwide copyright license to reproduce, prepare derivative works from,
distribute, perform and display, this Implementers Draft or
Final Specification solely for the purposes of (i) developing
specifications, and (ii) implementing Implementers Drafts and
Final Specifications based on such documents, provided that attribution
be made to the OIDF as the source of the material, but that such attribution
does not indicate an endorsement by the OIDF.
The technology described in this specification was
made available from contributions from various sources,
including members of the OpenID Foundation and others.
Although the OpenID Foundation has taken steps to help ensure
that the technology is available for distribution, it takes
no position regarding the validity or scope of any intellectual
property or other rights that might be claimed to pertain to
the implementation or use of the technology described in
this specification or the extent to which any license under
such rights might or might not be available; neither does it
represent that it has made any independent effort to identify
any such rights. The OpenID Foundation and the contributors
to this specification make no (and hereby expressly disclaim any)
warranties (express, implied, or otherwise), including implied
warranties of merchantability, non-infringement, fitness for
a particular purpose, or title, related to this specification,
and the entire risk as to implementing this specification is
assumed by the implementer. The OpenID Intellectual
Property Rights policy requires contributors to offer
a patent promise not to assert certain patent claims against
other contributors and against implementers. The OpenID Foundation invites
any interested party to bring to its attention any copyrights,
patents, patent applications, or other proprietary rights
that may cover technology that may be required to practice
this specification.
[[ To be removed from the final specification ]]-16
Fixed #709 - OpenID Request Object - "registration" in non-Self-Issued case.
Fixed #711 - Awkward phrase "The following Claims are REQUIRED and OPTIONAL".
Fixed #712 - "azp" definition clarification.
Fixed #713 - Explicitly require "sub" claim to be returned from UserInfo endpoint.
Fixed #715 - Delete "profile" from request object example.
Fixed #729 - ITU-T X.1254 | ISO/IEC 29115 now separate.
Fixed #722 - Text on "id_token_hint" needs to be clarified.
Fixed #718 - Text on re-encrypting should be clearer.
Fixed #738 - Behavior when "openid" scope is omitted.
Fixed #714 - Clarified text specifying response_type behaviors, including
prohibiting the use of the "token" response_type, since it returns no ID Token.
Added statement "whenever TLS is used, a TLS server certificate check
MUST be performed, per RFC 6125" to
TLS Requirements section in Security Considerations.
State that when any validations fail, any operations requiring
the information that failed to correctly validate MUST be aborted and
the information that failed to validate MUST NOT be used.
Fixed #742 - Added new ui_locales parameter.
Fixed #743 - Promoted preferred_locales
to being a top-level parameter. Also renamed it to
claims_locales to disambiguate it
from the new ui_locales parameter.
Fixed #744 - Promoted max_age
to being a top-level parameter.
Fixed #748 - Promoted claims to being a
top-level parameter separate from the OpenID Request Object.
Fixed #765 - Created acr_values top-level
request parameter and changed default_acr
registration parameter to default_acr_values.
Fixed #761 - client_secret as the HMAC key and #762 - client_secret to key.
We now use the phrase "the bytes of the UTF-8 representation of
the client_secret value".
Also added security considerations about symmetric key entropy.
Fixed #597 - Changed representation of omitted year in birthdate
from 9999 to 0000.
Fixed #769 - Added Claim Type identifiers and definition.
Fixed #773 - Added request_uris
registration parameter to pre-register
request_uri values.
Also clarified that the referenced resource contents may be cached.
Fixed #748 - Changed OpenID Request Object processing rules so that
the Request Object parameters are combined with those passed as
OAuth 2.0 parameters, with the Request Object parameters taking precedence.
This enables fixed parameters to be passed in pre-signed, possibly
pre-encrypted, and cached Request Objects, with parameters that will
vary per request like state and
nonce being passed as OAuth 2.0 parameters.
This is particularly important now that
request_uri values can be pre-registered.
Fixed #765 - Added Security Considerations about the need for signed
and encrypted requests.
Fixed #763 - OPs MUST treat the inability to return an Essential
requested acr Claim value as
a failed authentication attempt.
Fixed #739 - Added values for Self-Issued registration.
Fixed #779 - Parameters missing from IANA Considerations.
Fixed #760 - Added rationale for request_uri usage.
Fixed #782 - Changed uses of "_url" in identifiers to "_uri".
Fixed #703 - Added the PKIX JWK key type (and example)
for X.509 certificates and consolidated the
x509_uri,
x509_encryption_uri, and
jwk_encryption_uri parameters into
a combined jwk_uri parameter.
Also Fixed #704 - Provided suggested guidance about how to do key rotation of
asymmetric keys for both signing and encryption
using jwk_uri.
Made UserInfo Endpoint MTI to support for all OPs that issue Access Tokens.
Fixed #719 - Moved message definitions for Self-Issued OPs to the Messages spec.
Fixed #671 - Specified that an Access Token must be requested when
Claims are requested from the UserInfo endpoint.
Fixed #717 - Parameters and values should be distinguished more clearly.
Fixed #786 - Changed the name of jwk_uri
to jwks_uri.
Clarified when the http scheme can and can not
be used in redirect_uri values.
Fixed #748 - Defined MTI features for OPs.
Also added request_not_supported error code.
Fixed #784 - Required publication of public keys as bare keys.
Fixed #785 - Enabled scope values to be used to request Claims
when using the response_type value
id_token (for which no Access Token is issued).
Fixed #787 - Don't prohibit returning an ID Token from the Token Endpoint
when grant types other than authorization_code
are used.
Fixed #710 - Gave an example of how requesting Claims with scope values
is equivalent to requesting them with the
claims request parameter.
Stated that the azp Claim
is only needed when the party requesting the ID Token
is different than the audience of the ID Token.
Fixed #788 - Renamed "OpenID Request Object" to "Request Object".
Use legal acr values in examples.
Fixed #789 - Added amr
(authentication methods references) Claim.
Fixed #790 - Removed "MUST understand" text about request parameters,
since OAuth requires that unrecognized parameters MUST be ignored.
Added requirements for ID Tokens returned as a result of
a token refresh request.
-15
Fixed #671 - Section 2.1.1 added test to require client to request an access token for
the UserInfo Endpoint if requesting the default scopes.
Fixed #637 - Removed requirement for hash of at_token and code to be SHA2 in
Section 2.1.2.1 and Section 5.2.
Fixes #620 - Update Section 2.1.2 and Section 2.2.3 to allow for other token types, but make bearer mandatory to support for clients.
Fixes #684 Removed error response in redirect to client if the redirect_uri is wrong to align with OAuth.
Fixed #695 - Contradictory OPTIONAL MUSTs in JWT Client Authentication.
Fixed #600 - Register Connect Claims in JWT Claims Registry.
Made the OpenID Foundation Artifact Binding Working Group the change controller for
the values registered with IANA.
Moved OAuth error registrations from Standard to Messages
since the errors are defined in Messages and not in Standard.
Use "OpenID Connect" as the "Related protocol extension" value in
OAuth Extensions Error registry entries.
Fixed #657 - Section 2.1.1 Specify the sub is used as the kid if the request object or id_token_hint is encrypted.
Added Implementation Considerations section on
Mandatory to Implement (MTI) features, per issue #604.
Specified that dynamic OPs must publish their public keys in X.509 format, per issue #633.
Fixed #648 - Specific response types now used in place of "implicit flow" and "code flow".
The wording for at_hash and c_hash is now clearer.
Fixed #698 - Inconsistent use of articles.
Fixed #699 - OpenID Provider (OP) definition repetitive.
Fixed #701 - Mention of SWD without a reference.
Fixed #700 - Incomplete specification names.
Fixed #702 - Make scopes a reference to the scopes section.
Fixed #702 - Consent is for claims - not scopes.
Fixed up Scopes section to make it clear that claims requested by the scopes are voluntary.
OAuth Threat Model is now RFC 6819.
Renamed the user_jwk Claim to
sub_jwk, paralleling the change from
user_id to sub.
Defined and registered the sub_jwk claim.
-14
Fixed #687 - Inconsistency between user_id
and prn claims. The fix changed these names:
user_id -> sub, user_id_types_supported -> subject_types_supported,
user_id_type -> subject_type, and prn -> sub.
Fixed #689 - Track JWT change that allows JWTs to have multiple audiences.
Fixed #660 - Clarified that returning the sub
value from the UserInfo endpoint is mandatory.
Fixed #636 - ID Token authorized party claim.
Fixed #539 - Add scope for offline access.
Fixed #690 - Inconsistent language in requirement of id_token response_type.
Clarified that jwk_uri and
jwk_encryption_uri refer to
documents containing JWK Sets - not single JWK keys.
Fixed #689 - Add caution about multiple audiences and azp.
Fixed #692 typos.-13
Fixed #588 - Messages: Token lifetime not privacy considerationFixed #597 - Messages: Changed claim name birthday to birthdate and made the format ISO 8601:2004Fixed #606 - Messages - 2.1.1. ID Token - acr missing the type. Type String.Fixed #617 - Messages - 1.2 Terminology: id_token. Added sentence that it can contain other claims. Fixed #608 - Messages - Request ID Token and Response ID Token. Moved response ID Token from section 2.1 to the response section.Fixed #543 - Messages - Security Consideration. Added ref to X.1254 | ISO 29115. Fixed #611 - Messages - Changed the default test to indicate that the value of auth_time needs to be essential Fixed #646 - Messages - Add login_hint as an OAuth parameter and put in example in request objectFixed #607 - Messages - add example decoded id_token.Fixed #658 - Messages - 2.1.1 "id_token" name crash, id_token renamed to id_token_hintFixed #612 - Messages - 4.1 change request_object_algs_supported to be RS256Fixed #662 - Messages - changed id_token_signed_response_algs to id_token_signed_response_alg in 5.1Fixed #678 - Messages - Changed 5.1.3 terminology of acr to reflect essential vs. required and fixed exampleFixed #679 - Messages - update reference to LoA registry from ID to RFC6711.
Fixed #614 - Discovery - 3.2 Distinguishing between signature and integrity parameters for HMAC algorithms.
This fix tracks the parameter changes made to the JWE spec in draft-ietf-jose-json-web-encryption-06.
It deletes the parameters {userinfo,id_token}_encrypted_response_int.
It replaces the parameters {userinfo,id_token,request_object,token_endpoint}_algs_supported
with {userinfo,id_token,request_object,token_endpoint}_signing_alg_values_supported
and {userinfo,id_token,request_object,token_endpoint}_encryption_{alg,enc}_values_supported.
Fixed #673 - Registration 2.1: Rename require_signed_request_object to request_object_alg.
The actual change was to rename
require_signed_request_object to request_object_signing_alg,
following the naming convention used in the resolution to issue #614.
Fixed #666 - JWS signature validation vs. verification.Referenced OAuth 2.0 RFCs -- RFC 6749 and RFC 6750.Fixed #663 Sec 5.2 to allow for non SHA2 HMAC algs-12
Added preferred_username claim
under profile scopeAdded section on claim stabilityChanged request_uri to
request_uri in Section 2.1.2.1-11
Removed claims_in_id_token scope value,
per decision on June 15, 2012 special working group call-10
Changed verified to
email_verified, per issue #564Added scope value claims_in_id_token
as a switch to indicate that the UserInfo claims should be
returned in the ID Token, per issue #561Removed optional claim request parameter
and added essential claim request parameter,
per issue #577. We changed terminology from "optional" to "voluntary"
and "required" to "essential" to better match privacy policy requirements.Removed Check ID Endpoint, per issue #570Added PAPE Reference to the Informative References, per issue #574Added "id_token" response type as being MTI for OpenID ProvidersSpecified that parameters present in both the OpenID Request Object and the
OAuth 2.0 Authorization Request MUST exactly match, per issue #575Changed OpenID Request Object from being specified as a JWT
to being specified as a JWS signed base64url encoded JSON object, per issue #592Changed default ID Token signing algorithm to RS256, per issue #571Changed default OpenID Request Object signing algorithm to RS256, per issue #571Made use of the nonce REQUIRED when using the implicit flow
and OPTIONAL when using the code flow, per issue #569Changed client.example.com to client.example.org, per issue #251Listed author of ISO29115 as "International Telecommunication Union and
International Organization for Standardization", per issue #589Added method of calculating signing and encryption keys for
symmetric algorithms, per issue #578Use standards track versions of JSON Web Token (JWT) and
OAuth JWT Bearer Token Profiles specs
(draft-ietf-oauth-json-web-token and draft-ietf-oauth-oauth-jwt-bearer)-09Added error interaction_required and removed
user_mismatched, per issue #523Changed invalid_request_redirect_uri to invalid_redirect_uri,
per issue #553Removed "embedded" display type, since its semantics were
not well defined, per issue #514Added optional id_token to authorization request parameters, per issue #535Now requested claims add to those requested with scope values, rather than replacing them, per issue #547Make changes to allow path in the issuer_identifier, per issue #513Make changes to userinfo_encrypted_response_* and id_token_encrypted_response_* to match registrationAdd hash and hash check of access_token and code to id_token, per issue #510Updated NoticesUpdated References-08Updated the version number and dateFixed #551 Sec 2.1.2.1 to clarify the OpenID Request Object MUST NOT include "request" nor "request_uri"Fixed #540 Sec 2.2.3 id_token MUST NOT be returned for grant_type=refreshFixed #542 Sec 2.1.2.1 required fields for request object to match StandardFixed Sec 2.2.1 to refer to client_secret value rather than Client PasswordFixed Sec 4.2, 4.3, 4.4 to replace requirement for using x.509 keyuse extensionAdded reference to RFC2459Fixed Sec 2.1.1.1.1 added rationale for sector_identifier_url from registrationFixed Sec 2.1.1.1.1 added examples of other ways to generate PPIDAdded iat as a required claim in ID TokensEnumerated claims requested by the "profile" scope valueFixed Sec 2.1.2 response_type references standard rather than repeating values that are binding specificFixed Sec 2.1.2 remove outdated language about openid scope requiring id_token to be returned with token response_type-07Removed definition and usage for assertion and claim objectConsistent use of End-UserRemoved 'format' from userinfo and id_token object of the OpenID Request Objectemail scope allows access to the 'verified' claimID Token 'audience' claim MUST be client_idRename artifact to authorization codeRemoved language pertaining to custom userinfo schemasCheck ID Endpoint returns only JSONUpdated Check ID Response verificationRemove 'audience' parameter from Authorization RequestMoved display=none to prompt=noneAdded additional display parameter optionsMoved IANA considerations to StandardAdded error codes to Authorization EndpointAdded client authentication section regarding various supported client
authentication schemes and their validation.
This includes symmetric and asymmetric authentication, JWT Bearer Token
Profiles, OAuth 2.0 Assertion ProfileUpdated Check ID Response verificationAdded 'auth_time' to ID TokenAdded validation for request object encryption and signatureAdded explanation for user_id type and calculating pairwise identifiersAdded steps for signature and validation and encryption and decryptionAdded verification of issuer identifierRedefined 'nonce' in Authorization Request. Changed to REQUIRED parameter.Changed usage of the word "approval" to "consent"Use RFC 6125 to verify TLS endpointsID Token MUST be JWTAccess Tokens should include an audience claim for the Resource ServerUpdated Security ConsiderationsOpenID Request Object parameters takes precedence over the same parameters in
the Authorization RequestAllow other gender strings in UserInfo schemaChanged UserInfo claim 'locale' to 'preferred_locales' and changed it to be a
list of valuesChanged UserInfo claim 'user_id' to REQUIRED. Added requirement to compare
user_id from userinfo endpoint to id_tokenRECOMMENDED E.164 format for UserInfo 'phone_number' claimChanged UserInfo Error Response to augment and return OAuth 2.0 Bearer Token Error ResponseExpanded section regarding UserInfo 'address' claimAdded Privacy considerationsAdded rational for signing then encrypting added to security considerationsAdded section about string comparison rules neededThe Authorization Server MUST understand all the request parameters
except for any unsupported claims.Make openid scope provide user_id from userinfo endpointAdded explanation of select_accountCheck ID Endpoint uses ID Token as Access Token according to Bearer Token specClients MUST verify client_id in ID TokenBumped version + dateUpdate John Bradley email and affiliation for Implementer's DraftRemoved invalid_authorization_code, invalid_id_token error codesSection 2.3 client MUST NOT send encrypted JWT to the Check ID EndpointSection 2.1.2.1.2 Added user_id claim and moved iso29115 to claims element of id_token memberDefined Authentication Context, Authentication Context Class Reference (acr), replaced iso29115 with acr.Corrected instances of x509_url_encryption to x509_encryption_url
and jwk_url_encryption to jwk_encryption_url-06Changed section 3.1.4.1 to say the errors are returned as
defined by the response type not always as query
parameters. per ticket #174.Bumped version + date.Fixed section 3.3.3 to refer to errors in Bearer Token.Fixed 3.1.3 to ref the other response types ticket #173.Included reference to multiple response types.Fixed 3.1.2.1 to indicate default Claims in id_token.Fixed section 3.2.2 to reference the access token response from the token endpoint 4.1.4.Fixed section 3.2.1 to include refresh tokens.Fixed section 3.1.1 to be clear on JWT being the token format per ticket #171.-05Changed check_session to check_id.schema=openid now required when requesting UserInfo.Removed issued_to, since not well defined.Removed display values popup, touch, and mobile, since not well defined.-04 Changes associated with renaming "Lite" to "Basic Client"
and replacing "Core" and "Framework" with "Messages" and
"Standard".Numerous cleanups, including updating references.-03 Added secret_type to the Token endpoint.Minor edits to the samples.-02 Incorporates feedback from Nat Sakimura.-01 First Draft that incorporates the merge of the Core and Framework
specs.